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IP  theft  goes  global  and  gets 
dangerous.  Here's  what 
CIOs  can  do  to  protect  their 
company  treasures. 

BY  STEPHANIE  OVERBY 
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Microsoft*  System  Center  is  a  family  of 
IT  management  solutions  (including  Operations 
Manager  and  Systems  Management  Server) 
designed  to  help  you  manage  your  mission- 
critical  enterprise  systems  and  applications. 


EDS  is  using  System  Center  solutions  to  manage 


90,000  PCs  worldwide.  That's  big.  See  EDS  and 
other  case  studies  at  DesignedForBig.com 


Microsoft' 

System  Center 


Panasonic  recommends  Windows  Vista  Business. 
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Panasonic 


Panasonic  ideas  for  life 


PRESENTING  THE  NEW  TOUGHBOOK  52. 

When  you  develop  a  laptop  this  innovative,  other  companies 
are  bound  to  copy  you.  We  can’t  name  names,  but  the  truth  is, 
if  it’s  not  a  Toughbook®,  it’s  not  the  real  deal.  We  built  the  semi- 
rugged  Toughbook  52  to  deliver  industry-leading  uptime  in  the 
office  or  out— it’s  wireless-ready  with  a  shock-mounted  hard  drive, 
magnesium  alloy  case,  spill-resistant  keyboard— even  a  handle 
for  greater  mobility.  The  one  and  only  Toughbook  52.  The  latest 
in  a  long  line  of  rugged  originals  for  which  there  is  no  substitute. 

panasonic.com/toughbook  1 .800.662.3537 
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THE  RUGGED  ORIGINAL. 


Intel,  Intel  logo,  Intel  Centrino,  Intel  Centrino  logo,  Intel  Inside,  Intel  Inside  logo  and  Pentium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other 
countries,  Toughbook  notebook  PCs  are  covered  by  a  3-year  limited  warranty,  parts  and  labor.  To  view  the  full  text  of  the  warranty,  log  on  to  panasonic.com/business/toughbook/support.asp.  Please  consult 
your  Panasonic  representative  prior  to  purchase.  ©2007  Panasonic  Corporation  of  North  America.  All  rights  reserved.  Just  Imitations  H..FY07  1 
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25  Blowing  Mobile 

mobile  computing  Everyone  agrees  the  future  of  global 
business  is  mobile,  but  America  has  a  lot  of  catching  up  to  do 
when  it  comes  to  adopting  mobile  devices  and  strategies. 

By  Thomas  Wailgum 


57  Forum 

The  CIO  role  of  the  future  will  be  strategic. 
But  is  your  organization  ready  to  accept 
that?  The  CIO  Executive  Council  helps  you 
make  that  assessment. 

By  Carrie  Mathews 


36  Your  World. ..Hacked 

cover  story  |  global  security  As  your  business  becomes 
more  collaborative  and  global,  the  risks  to  your  company’s  trade 
secrets  rise  proportionally.  Fortunately,  there  are  new  strategies  to 
protect  the  data  that  allows  you  to  compete. 

By  Stephanie  Overby 

48  Crash 

business  continuity  CIO  Alan  Boehme  had  a  typical  business 
continuity  and  succession  plan,  but  one  terrible  moment  on  a 
California  highway  revealed  its  weaknesses.  By  C.G.  Lynch 
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[CONTINUING  EDUCATION] 

Should  You  Get  an  MBA? 


The  pressure  is  on  IT  leaders  to  prove  their  business  savvy,  and 


more  and  more  job  postings  are  askingfor  an  MBA.  Do  you  really 
need  one  to  make  it  as  a  CIO?  (GE’s  Gary  Reiner  has  one;  HP’s 
Randy  Mott  doesn’t.)  We  asked  two  IT  executives  to  help 
assemble  arguments  for  and  against  getting  an  MBA  and 
to  tel  I  us  how  that  decision  has  affected  their  careers.  Go  to 
CIO.com  to  read  what  they  have  to  say,  and  add  your  own 
thoughts  to  the  discussion.  »www.cio.com/article/122507 


Click  and 
Save  with  Our 
Interactive  Global 
Outsourcing  Map 


The  United  States  remains  a 
powerhouse  when  it  comes 
to  IT  skills,  but  outsourcing  is 
the  name  of  the  game  for  cost 
cutting.  Each  country,  how¬ 
ever,  hassomethingdifferent 


to  offer— along  with  different 
risks  to  manage.  ClO.com's 
Global  Outsourcing  Map 
offers  insights  into  the  pros 
and  cons  of  sendingyour 
IT  work  offshore. 


Click  on  the  "pins”  to  view 
articlesfromCIO.com  that 
explain  what’s  going  on  in 
outsourcing  markets  around 
the  world. 

www.cio.com/article/123711 


[TUTORIALS] 

PRIMERS  ON  CORE  TOPICS 

Checkout  the  ever-expanding  list  of  articles  in  ClO.com’s  ABCs 
series  to  helpyou  and  your  staff  get  upto  speed  fast  on  what  you 
need  to  know.  Latest  additions  include  tutorialson  the  Balanced 
Scorecard,  IT  governance,  and  blogs  and  wikis.  Find  more  at: 

www.cio. com/article/40242 


[STRATEGIC  CIO] 


BUSINESS  READY 

Afteryou  read  "Ready  for  a  Strategic  CIO?”  (Page  57),  join  members 
of  the  CIO  Executive  Council  for  a  panel  discussion  on  influencing 
business  acceptance  of  a  strategic  CIO  role.  Register  at: 


www.cioexecutivecouncil.com/futurestatecio 


Right 

now@ 


CIO. 

com 


»  Information  Collective  Whoarethemillion-dollarCIOs? 
»  Movers  &  Shakers  Michael  Capellasto  lead  First  Data 
»  The  Collaborator  Net  neutrality  not  justfor  hippies 
»  HowTo  One  CIO  escapes  e-mail  attachment  hell 


[OPINION] 

The  Math/Science 
Imperative 

The  nation’s  future  depends  on 
generating  more  science  and 
math  experts,  believes  CIO 
Publisher  Gary  Beach.  Read  his 
prescriptions  for  change  in  his 
blog  at  advice.cio.com. 
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3PAR  THIN  PROVISIONING 

Good  for  your  business. . . 
Carbon  neutral  for  the  planet 


FEWER  DISK  REDUCED 
DRIVES  ENERGY 


FEWER  CARBON 
EMISSIONS 


For  every  terabyte  of  disk  drives  sold  with 
3PAR  Thin  Provisioning  in  2007,  3PAR  will 
purchase  the  carbon  credits  to  offset  the 
emissions  of  one  terabyte  of  disk  drives. 
The  result:  carbon  neutral  storage. 


3PAR  Utility  Storage  with  Thin  Provisioning  is 

revolutionizing  the  mission-critical  data  center. 
3PAR  customers  can  buy  half  the  storage 
capacity  required  with  traditional  storage  arrays, 
reducing  capital  costs,  energy  consumption  and 
carbon  emissions. 


Learn  more  about  3PAR  Thin  Provisioning  and  the  Carbon  Neutral  Program  at  www.3par.com/green 
or  contact  us:  salesinfo@3pardata.com  or  1-888-3PAR-226  extension  2. 
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3  PAR 

Serving  Information 


Think  Thin.  Think  Green.  Think  3PAR. 


FROM  THE  EDITOR 


In  a  Bad  Moment 

If  you  wait  to  plan  for  disaster,  chances  are  you’ll  be  too  late 

In  Dashiell  Hammett's  The  Maltese  Falcon,  detec¬ 
tive  Sam  Spade  takes  a  moment  to  tell  a  story  that  has 
very  little  to  do  with  the  black  bird,  the  Fat  Man  or, 
really,  anything  else  in  the  novel. 

A  man,  Spade  relates,  walking  down  the  street, 
is  almost  killed  by  a  brick  falling  from  a  building. 
Reflecting  on  his  narrow  escape,  the  man  decides  to 
change  his  life.  He  leaves  his  wife,  moves  to  another 
city,  gets  another  job.  In  a  few  years,  Spade  says,  the 
man  marries  a  woman  very  much  like  his  first  wife, 
finds  a  job  very  much  like  the  one  he  left  and  is  in  all  ways  living  a  life  indistinguish¬ 
able  from  the  one  he  was  so  determined  to  change. 

The  point,  Spade  said,  is  that  the  man  responded  to  a  world  that  included  bricks 
falling  from  the  sky  and  then  got  used  to  a  world  in  which  they  did  not. 

Which  brings  me  (in  an  admittedly  roundabout  way)  to  Associate  Staff  Writer  C.G. 
Lynch’s  excellent  story,  “Crash,”  on  Page  46. 

Alan  Boehme,  CIO  of  Juniper  Networks,  had  a  business  continuity  and  succession 
plan  that  was  probably  just  as  good  as  the  one  you  have  now.  Then,  on  a  California 
highway,  his  car  was  hit  by  a  drunk  driver.  In  the  aftermath,  the  shortcomings  of  his 
plan— which  are  probably  similar  to  your  plan’s  shortcomings— were  revealed. 

Today,  disaster  and  succession  planning  have  moved  way  up  the  list  of  Boehme’s 
priorities,  and  he’s  incorporating  many  of  the  lessons  he  learned  a  very  hard  way. 

He’s  optimizing  and  automating  what  was  largely  a  paper-based  system;  he’s  mak¬ 
ing  sure  that  his  lower-level  IT  employees  make  connections  in  other  areas  of  the 
business;  and  perhaps  most  important,  he’s  fostering  management  training  beneath 
the  managerial  ranks.  As  Forrester  analyst  Sam  Bright  says,  “When  attrition  occurs, 
you  can’t  take  the  time  to  catch  people  up.” 

“When  you  think  of  business  continuity  and  disaster  recovery,  you  tend  to  think  of 
earthquakes  and  tornadoes,”  Boehme  says.  Today,  he  thinks  about  what  can  happen 
to  a  person  in  a  bad  moment.  It’s  likely  that  Boehme,  who  is  now  reacting  to  a  world 
that  includes  personal  disasters,  will  not  revert  to  thinking  about  a  world  that  does  not. 
CIOs  owe  it  to  their  organizations  to  budget  for  the  fragility  of  existence  before  they’re 
forced  to  confront  it.  A  way  to  start  is  to  check  out  “ABC:  An  Introduction  to  Business 
Continuity  and  Disaster  Recovery  Planning”  at  wzDW.cio.com/article/40287 . 


David  Rosenbaum,  Editor 

drosenbaum(a)cio.com 


6  AUGUST  1,  2007  |  www.cio.com 


PHOTO  BY  WEBB  CHAPPELL 


BUSINESS  TECHNOLOGY  LEADERSHIP 


president  and  ceo  Michael  Friedenberg 
publisher  Gary  J.  Beach 

EDITORIAL 
EDITOR  in  chief 

Abbie  Lundberg 

EDITOR 

David  Rosenbaum 

EXECUTIVE  EDITOR 

Elana  Varon 

ASSISTANT  MANAGING  EDITOR 

Emily  Henderson 

TECHNOLOGY  EDITOR 

Laurianne  McLaughlin 

SENIOR  EDITORS 

Stephanie  Gelston, 

Stephanie  Overby 

SENIOR  WRITER 

Thomas  Wailgum 

ASSOCIATE  STAFF  WRITERS 

Christopher  Lynch.  Katherine  Walsh 

SENIOR  COPYEDITOR 

Cathy  Mallen 

COPY  EDITOR 

Susan  Bryant-Still 

EDITORIAL  ASSISTANT 

Kristin  Burnham 

EDITORIAL  ADMINISTRATOR 

Jill  Paquette 

CONTRIBUTORS 

Galen  Gruman,  Robert  Mullins 

DESIGN 

EXECUTIVE  DIRECTOR,  ART  AND  DESIGN 

Mary  Lester 

ART  DIRECTOR 

Terri  Haas 

ONLINE  EDITORIAL 

ONLINE  EDITORIAL  DIRECTOR 

Christopher  Lindquist 

ONLINE  MANAGING  EDITOR 

Michael  Goldberg 

SENIOR  ONLINE  EDITORS 

Sandy  Kendall,  Meridith  Levinson. 
Shawna  McAlearney,  Esther  Schindler 

ASSOCIATE  ONLINE  EDITOR 

Diann  Daniel 

ONLINE  WRITER  Al  SaCCO 
ONLINE  COPY  EDITOR 

David  Gradijan 

RESEARCH 

RESEARCH  MANAGER 

Carolyn  Johnson 

SENIOR  RESEARCH  ANALYST 

Seanna  Maguire 


* 

CXO'MEDIA  INC. 


INTERNATIONAL  DATA  GROUP 

board  chairman  Patrick  J.  McGovern 

president,  idg  communications  Bob  Carrigan 


♦BRA 


imiBHIBI- 


©CXO  Media  Inc. 


who  covers  what  www.cio.com/staff 
e-mail  letters@cio.com  phone  508  872-0080 
fax  508  879-7784  address  CIO  Magazine,  CXO  Media 
Inc.,  492  Old  Connecticut  Path,  P.0.  Box  9208, 
Framingham,  MA  01701-9208  website  www.cio.com 
SUBSCRIBER  SERVICES  866  354-1125  • 

Fax  847  564-9453  •  E-mail  cio@omeda.com 
reprint  services  Keith  Williams  •  PARS  International 
•  212  221-9595  ext.  319  •  E-mail  keith.williams@ 
parsinti.com  rights  and  permission  Yadira  Pizarro  • 
212  221-9595  ext.  231  •  E-mail  yadira@parsintl.com 


The  HP  BladeSystem  c-Class,  featuring 
efficient  Dual-Core  AMD  Opteron™ 
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with  HP's  exclusive  Insight  Control 
Linux  Edition,  a  comprehensive  blade 
management  and  deployment  package 
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FROM  THE  PUBLISHER 


Poisonous  CIOs? 

The  debate  over  who  should  control  IT  continues  to  rage 


Large  IT  shops  are  “the  most  regressive  and 
poisonous  force  in  technology  today,”  said  Walter 
Mossberg,  technology  columnist  for  The  Wall  Street 
Journal,  in  a  speech  in  June  to  250  college  and  uni¬ 
versity  presidents  and  administrators. 

A  lot  of  IT  professionals  seem  to  agree  with  him, 
according  to  the  comments  posted  on  Mossberg’s 
statement  on  The  Chronicle  of  Higher  Education’s 
website.  Wrote  one  CIO,  “As  much  as  reading  about 
Mr.  Mossberg’s  comments  makes  my  forehead  red,  if 
we  think  he’s  completely  off  base  with  this  assessment,  we  are  kidding  ourselves.” 

Mossberg  seems  to  be  saying  that  CIOs  have  two  possible  paths  to  tread.  One  is  to 
create  an  infrastructure  that  encourages  the  self-enabled,  free-to-download,  creative- 
minded  user  (like  so  many  of  the  twentysomethings  entering  your  workplace  today). 
The  other  is  to  stick  employees  in  a  locked-down,  generic,  single-vendor,  highly  secure 
environment  run  by  central  IT.  (To  learn  how  CIOs  can  find  an  acceptable  middle 
ground,  read  “How  CIOs  Can  Learn  to  Love  IM,”  at  www.cio.com/article/120lS9.) 

Of  course,  many  people  label  Mossberg  as  a  “device  junkie  living  in  another  world” 
and  recommend  that  IT  professionals  ignore  his  advice. 

The  use  of  technology  in  large  firms  and,  in  particular,  the  challenge  of  managing 
the  needs  of  diverse  employees  was  summed  up  well  by  one  CIO  who  wrote,  “Making 
[IT  infrastructures]  work  for  [both]  the  extraordinarily  technology  literate  users  and 
the  ‘we-need-an-easy-button’  crowd  is  impossible.” 

During  his  speech,  Mossberg  displayed  an  iPhone  as  an  example  of  creativity, 
which  inspired  one  CIO  to  write,  “Enjoy  your  iPhone,  Mr.  Mossberg.  Where  did  all 
the  music  come  from  again?  Oh  yeah— a  central,  finite  music  library  in  a  specific  for¬ 
mat  from  a  specific  company  that  charges  you  a  monthly  fee  to  keep  you  from  going 
anywhere  else.  This  is  some  forward,  nonpoisonous  thinking  for  you!” 

Hmmm.  Sure  sounds  like  the  typical  central  IT  control  model  to  me. 

What  are  your  thoughts?  Are  Mossberg’s  “most  regressive  and  poisonous”  com¬ 
ments  off  base?  Or,  as  one  CIO  asked,  “Is  his  the  voice  of  the  customer  challenge  and 
opportunity  that  CIOs  are  afraid  of?” 

Don’t  you  be  afraid.  Share  your  thoughts  now. 


Gary  Beach,  Publisher 

gbeach@cio.com 
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London,  England 


'399.”  2-yr.  price  less  $100  advanced  device  credit, 
less  $100  mail-in  rebate  =  '199.  "  with  new  2-yr. 
activation  on  any  voice  plan  of '39.'"  monthly  access 
or  higher  and  a  data  feature  of  44.  "  monthly  access, 
or  on  any  new  Voice  and  Data  Choice  Bundle  plan 
of  '79.”  monthly  access  or  higher. 


Verizon  Wireless  introduces  the  BlackBerry®  8830  World  Edition.  It's  the  first  CDMA  World  Edition  smartphone 
capable  of  roaming  globally  on  GSM/GPRS  networks.  Work  domestically  or  internationally,  with  access  to  email, 
phone,  Internet  and  expanded  memory  capability.  Join  forces  with  America's  most  reliable  wireless  broadband 
network  in  enabling  your  employees  to  work  from  just  about  anywhere. 


W’iMion  lrt’/l.tii'.-$35.  i 

.  pbMAfll  CONSUMER  INfORMAflON  Subject  toCustbmct  Agiltt,  Calling  Plan,  rebate  torn)  &  credit  approval.  Up  in  $  l  /a  early  termination  tee  &  Otltei  charges.  Offers  not  available  everywhere.  While  supplies  last,  Shipping  (lMn)es  may  apply.  Rebate  lakes  up  to  si*  Weeks,  lire  wireless  broadband  network 
availably  iu/l7ina|cii  meiiopulil.m  areas  Coverage  limitations,  ntapsl4detailsatveri2onwireless.com  America's  most  reliable  wireless  network  claim  based  oil  fewest  aggregate  blocked  and  dropped  connections.  See^ven/onwiroiess  coni/lscstni'twoik  (Or  details  coyoo/ Veri/on  Wireless 


sourcing  Offshore  outsourcing 
managers  used  to  traveling  back  and 
forth  to  Bangalore  may  be  trading  in 
those  frequent  flier  miles  for  tickets  to 
Sao  Paulo  or  Rio.  And  not  for  R&R. 

Some  IT  organizations  experienced 
in  offshoring  are  looking  to  Brazil  as  an 
emerging  option  for  software  develop¬ 
ment  and  maintenance  services.  In 
most  cases,  the  move  is  part  of  a  diversi¬ 
fication  strategy  as  demand  continues  to 


put  upward  pressure  on  wages  in  India. 

In  addition,  some  companies  may 
be  looking  for  a  way  to  bring  offshore 
work  a  bit  closer  to  home  in  the  West¬ 
ern  hemisphere.  “There  are  instances 
where  [Brazil]  is  used  instead  of  India 
because  of  its  closer  proximity  and 
similar  time  zones  to  the  U.S.,”  says 
Eugene  M.  Kublanov,  COO  and  manag¬ 
ing  director  for  offshoring  outsourcing 
advisor  NeoIT. 


Brazilian  IT  services  companies  are 
eager  for  the  international  business.  The 
domestic  market  for  IT  work  is  growing 
at  a  decent  17  percent  a  year,  according 
to  Jair  Ribeiro,  president  of  Sao  Paulo- 
based  CPM  Braxis,  Brazil’s  largest  IT 
services  company  with  $500  million 
in  expected  annual  revenue.  But  CPM 
Braxis  and  other  local  market  leaders, 
such  as  Brasilia-based  Politee  and  Rio 
de  Janeiro-based  Continued  on  Page  12 
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I BM,  HP  Heat  Up  Supercomputer  Rivalry 


supercomputing  IBM  still  operates  the  fastest 
supercomputer  in  the  industry,  but  rival  Hewlett-Packard  has 
more  of  them  in  operation,  according  to  a  closely  watched 
global  survey  released  in  concert  with  the  recent  interna¬ 
tional  Supercomputing  Conference  in  Dresden,  Germany.  HP 
ranks  first  for  market  share  on  the  list  of  the  top  500  super¬ 
computers  compiled  by  university  computer  researchers  in 
the  United  States  and  Germany. 

HP  grew  its  market  share  to  40  percent  with  202  systems, 
while  IBM’s  share  fell  to  38  percent  with  192  systems.  In  the 
previous  report  last  November,  IBM’s  share  was  47  percent, 
to  HP’s  32  percent. 

IBM’s  Blue  Gene/L  supercomputer,  installed  at  Lawrence 
Livermore  National  Laboratory  in  California,  ranked  first  on 
the  list  for  speed,  with  a  "sustained  performance”  of  280.6 
trillion  operations  per  second,  or  teraflops.  (Flops  means 
"floating  point  operations  per  second.”) 


But  change  looms,  because  IBM's  got  more  power  on  the 
drawing  board:  IBM  announced  in  June  a  new  supercom¬ 
puter,  Blue  Gene/P,  which  will  have  three  times  the  process¬ 
ing  power  of  Blue  Gene/L.  Properly  configured,  the  P  may 
be  able  to  hit  3  petaflops  (P  flops),  or  1,000  trillion  calcula¬ 
tions  per  second,  IBM  says.  That  means  this  new  monster 
could  perform  on  the  order  of  100,000  times  better  than 
your  home  PC,  IBM  says.  Expected  customers  include  the 
U.S.  Department  of  Energy. 

Sun  Microsystems,  which  holds  only  a  1.4  percent  market 
share,  is  making  a  concerted  effort  to  pursue  the  supercom¬ 
puter  market.  Sun  is  building  a  supercomputer  code-named 
“Constellation"  designed  to  reach  1 P  flops.  For  this  super¬ 
computer  being  built  at  the  Texas  Advanced  Computing 
Center  at  the  University  of  Texas  at  Austin,  Sun  received  a 
$59  million  National  Science  Foundation  grant. 

-Robert  Mullins 
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database  Alec  Palmer,  CIO  forthe  Federal  Election  Commis¬ 
sion  (FEC),  had  a  clear  mandate  from  his  business  side:  Our  database 
presentation  tool  doesn’t  serve  the  public  well;  fix  it.  And  he  did,  in- 
house  with  no  extra  staff,  spending  just  $12,000  on  technology,  in  six 
weeks.  Because  of  this  project,  any  citizen  can  now  learn  who's  funding 
what  presidential  campaigns— much  easier  than  was  previously  pos¬ 
sible.  Take  a  peek  at  the  interactive  tool,  launched  in  early  June,  at 
www.fec.gov. 

The  FEC  administers  U.S.  law  regarding  congressional  and  presi¬ 
dential  campaign  funding,  including  limits  and  rules  on  donations  by 
individuals  and  groups,  and  shares  the  relevant  data  with  the  public. 
Prior  to  this  effort,  the  FEC  had  a  database  of  donation  data  online,  but 
it  wasn’t  pretty,  says  Palmer.  If  you  wanted  to  do  research,  "you  could 
do  it,  but  it  took  many,  many  steps,”  he  says. 

The  revamped  tool  lets  you  click  on  a  map  of  the  United  States  to 
drill  down  on  presidential  campaign  contributions  by  candidate  name, 
state  or  ZIP  code.  For  example,  you  might  want  to  research  how  Rudy 
Giuliani’s  contributions  are  stacking  up  against  Mitt  Romney’s  in  your 
home  ZIP  code,  or  see  who  yourtown’s  mayor  is  supporting. 

In  the  late  summer  or  early  fall,  the  FEC  will  roll  out  a  second  tool 
with  congressional  election  funding  data. 

The  data  isn’t  unique:  Several  public  interest  groups,  namely  the 
Center  for  Responsive  Politics,  track  2008  presidential  campaign 
dollars.  Also,  The  New  York  Times  website  offers  a  similar  campaign 
funding  map.  But,  the  FEC  wants  to  be  the  primary  source  for  this  data, 
and  now  it’s  presenting  it  in  a  more  useful  way.  An  Oracle  10G  database 
fuels  the  project,  which  was  developed  using  Java  (J2EE)  and  Corda 
OptiMap  for  the  flash-based  map  interface. 

Palmer  kept  the  project  cost-friendly  by  keeping  it  in-house  and  skip¬ 
ping  add-on  products.  For  more  detail  on  his  approach,  and  tips  on  how 
to  make  a  similar  project  work,  see  “How  One  CIO  Performed  Database 
Magic  in  Six  Weeks"  at  advice.cio.com/blogs/inside_tech. 

-Laurianne  McLaughlin 


Brazil 


Continued  from  Page  11 

DBA,  are  ravenous  for  a  piece  of  the 
offshore  outsourcing  market,  which  is 
growing  at  more  than  twice  that  rate. 

These  companies  are  contending  with 
some  much  larger  competitors.  Most  multi¬ 
national  outsourcers,  including  Accenture, 
EDS,  HP,  IBM  and  Unisys,  have  set  up 
shop  in  Brazil.  IBM,  for  example,  is  using 
Brazil  as  a  hub  for  infrastructure  manage¬ 
ment,  employing  more  than  9,000  people 
in  Campinas,  90  minutes  outside  of  Sao 
Paulo,  says  Kublanov.  Tier-1  Indian  players, 
including  Infosys,  Satyam,  TCS  and  Wipro, 
and  larger  Mexican  IT  services  companies 
including  Neoris  and  Softek,  have  moved  in 
as  well. 

The  biggest  market  for  companies  like 
CPM  Braxis  is  the  financial  services  indus¬ 
try,  thanks  to  that  company’s  experience 
building  robust  software  to  cope  with  the 
country’s  financial  crises  in  the  1980s  and 
’90s.  Financial  services  business  makes  up 
half  of  the  revenue  at  CPM  Braxis. 

The  second  major  source  of  revenue  is 
ERP  work.  Brazil  boasts  one  of  the  largest 
concentrations  of  SAP  consultants  in  the 
world  outside  of  Germany.  Due  to  a  large 
population  of  German  descent,  SAP  has 
been  operating  in  Brazil  for  years,  and 
local  corporations  and  divisions  of  multi¬ 
nationals  have  aggressively  installed  ERP 
systems,  says  Kublanov.  Ribeiro  says  he 
also  does  a  decent  amount  of  Oracle  busi¬ 
ness  and  work  in  Cobol  and  other  legacy 
languages. 

Companies  that  have  outsourced  IT 
work  to  Brazil  include  JPMorgan,  Estee 
Lauder,  and  offshore  first-mover  General 
Electric.  Citigroup,  Dell,  Motorola  and 
Oracle  have  set  up  captive  (company- 
owned)  development  centers. 

Some  analysts  predict  growth  in  Brazil’s 
IT  services  sector,  currently  valued  at  $1.1 
billion  by  Frost  &  Sullivan  and  predicted  to 
triple  by  2012.  On  the  downside,  employee 
costs  are  high  and  personal  security  con¬ 
cerns  plague  Sao  Paulo  and  Rio  de  Janeiro, 
says  Kublanov.  -Stephanie  Overby 
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NeuStar 


Ultra  Services 


Managing  the  world's  infrastructure,  one  business  at  a  time 
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Bridge  the  gaps 

in  your  DNS  infrastructure 

with  NeuStar. 


DNS  -  DHCP  -TRAFFIC  MANAGEMENT 


When  you've  already  spent  millions  on  a  state-of-the-art  network  to  support  your  critical  business  processes, 
and  you're  contemplating  investing  even  more  to  realize  the  enormous  economic  benefits  of  IP-based  com¬ 
munications,  you  need  the  very  best  DNS  infrastructure. 


NeuStar's  suite  of  managed  DNS  services  delivers  carrier-class  performance,  comprehensive  security, 
massive  scalability,  24/7  monitoring,  and  expert  support  from  developers  and  engineers  -  enabling  organiza¬ 
tions  to  focus  on  serving  customers  and  growing  their  businesses.  What's  more,  you'll  retain  complete 
administrative  control  over  your  DNS  environment  via  our  advanced  management  tools. 


Let  NeuStar  help  your  organization  scale  efficiently  and  transition  smoothly  to  the  communications  industry 
of  tomorrow.  Learn  more  at  www.neustarultraservices.com  or  call  toll-free  (888)  367-4812. 
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NeuStar  is  a  registered  trademarks  of  NeuStar,  Inc.  ©  Copyright  2007  NeuStar,  Inc.  All  rights  reserved. 
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TRENDLINES 


The  Aces  of  Options 


Who’s  cashing  in?  And  what  are  they  walking  away  with? 

According  to  SEC  filings  from  May  and  June: 


CIO 

COMPANY 

SHARES 

PURCHASED 

TOTAL  PRICE 

SHARES  SOLD 
PRICE 

NET  PROFIT 

Robert  Moore 

Paetec 

5,000 

$15,450 

$55,751 

$40,301 

Janice  Skredsvig 

Paccar 

4,801 

$182,294 

$417,207 

$234,913 

Beth  Perlman 

Constellation 

Energy 

4,000 

$124,840 

$372,955 

$248,115 

Richard  Celia 

Alpharma 

31,125 

$386,575 

$792,380 

$405,805 

Michael  Relich 

Guess 

10,000 

$77,200 

$494,006 

$416,806 

Scott  Henkel 

Capella 

30,000 

$472,163 

$1.03  million 

$559,237 

Education 


career  A  CIO’s  decision  to 
exercise  his  stock  options  once 
served  as  a  sign  of  his  forthcom¬ 
ing  departure  from  his  company. 
“Ordinarily,  you’d  think  they’re 
getting  ready  to  go  because 
they’re  cashing  in,”  says  Mark 
Polansky,  North  American  man¬ 
aging  director  of  executive  search 
firm  Korn  Ferry’s  IT  Center  of 
Expertise. 

But  that’s  not  the  case  today. 
Many  CIOs  are  cashing  in  on 
their  options  simply  because  the 
money  is  good,  says  Polansky. 
“People  have  done  well  with 
options— not  just  CIOs,  but 
senior  and  middle  management,” 
he  says.  “There’s  a  common  feel¬ 
ing  that  we’re  either  at  the  top 
of  the  stock  market  or  near  the 
top,  and  since  we  all  learned  that 
we  don’t  know  how  to  predict 


the  top  (we  all  had  that  problem  in 
2000),  people  are  more  cautious 
this  time.  They’re  taking  money  off 


the  table  and  trying  to  avoid  giving 
it  all  back  when  the  bubble  bursts,” 
he  says.  -Meridith  Levinson 


ssai 


Surf  ingfor  Pom  and  Getting  Paid 


CONTENT  FILTERING 

How  many  people  can 
claim  to  have  a  job  that 
allows  them  to  surf  porn, 
sports  and  millions  of  other 
websites  that  are  not  allowed 


anywhere  near  PCs  in  cor¬ 
porate  America  and  K-12 
schools? 

Gene  Toye  can.  An  ana¬ 
lyst  for  St.  Bernard  Soft¬ 
ware,  a  maker  of  messaging 
security  products,  Toye 
evaluates  and  categorizes 
websites.  "My  friends  think 
it’s  a  crazy  job,”  he  says. 
“Everyone  thinks  all  I  do  is 
look  for  porn  all  day.  They 
call  me  ‘Porn  Guy.’”  During 
the  past  five  years  this  col¬ 
lege  student  has  worked 
part-time  at  St.  Bernard, 

classifying  sites 
into  73  general 
categories— such 
as  real  estate, 
society,  malware, 


lingerie  or  phishing.  An  in- 
house  software  application 
guides  Toye  and  15  other 
part-time  analysts. 

Having  a  human  in  on  the 
evaluation— rather  than  just 
automated  technology— is 
critical,  says  Morgan  Chris¬ 
tian,  a  development  man¬ 
ager  and  Toye’s  boss. 

Those  categorized  web¬ 
sites  are  automatically  fed 
into  St.  Bernard’s  iGuard 
database,  which  now  con¬ 
tains  more  than  30  million 
URLs  and  IP  addresses. 

The  database  populates  St. 
Bernard’s  iPrism  appliance, 
which  enables  custom¬ 
ers  (mostly  educational 
institutions  and  midsize 


Having  a  human 
in  on  the  evaluation— 
rather  than  just  automated 
technology— is  critical. 


businesses)  to  block  unpro¬ 
ductive  digital  desires. 

At  Network  Services,  a 
paper  and  janitorial  supply 
distributor,  CIO  Paul  Roche 
has  reaped  the  fruits  of 
Toye’s  labor  with  iPrism. 
Though  Roche  doesn’t  know 
Toye  by  name,  he’s  aware 
of  the  work.  "[St.  Bernard] 
has  people  who  literally  go 
to  websites  all  day  long,” 
Roche  says.  From  the  73 
categories,  Roche  can  tell 
iPrism  which  sites  to  allow 
and  which  to  block  for  his 
employees.  "My  [appropri¬ 
ate  use]  pol  icy  is  so  easy  to 
enforce,"  Roche  says.  "And 
it’s  nothing  my  IT  staff  has 
to  do."  -Thomas  Wailgum 
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you're  hearing 
about  another 
SOA  solution. 


Seriously 

Over 

Advertised 


You  need  someone  who  can 

WALK  TH  E  WALK, 

not  just  talk. 


Enterprise  software  to  help  you  achieve  SOA  success. 

2,500+  Customers 
20  Years  Experience 
The  Power  of  Now®  soa.tibco.com 
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TRENDLINES 


The  Case  For  and  Against  iPhone 

mobile  Apple’s  iPhone  resets  the  bar  for  technology  hype.  One  mobile  industry 
analyst  goes  so  far  as  to  call  Apple’s  new  iPhone  the  "most  anticipated  phone  since 
Alexander  Graham  Bell  did  his."  We’re  going  to  stay  down  to  earth  and  try  to  answer 
this  question:  Will  the  iPhone  fly  in  corporate  America? 


Five  Reasons  Why  the  iPhone  WILL  Four  Reasons  Why  the  iPhone  WILL  NOT 

Infiltrate  Your  Business  Infiltrate  Your  Business 


1.  It’s  Unlike  Anything  Else  Out  There 

It’s  aesthetically  pleasing,  to  put  it  mildly.  The  user  interface  is 
breathtaking,  the  graphics  are  beautiful,  the  design  is  cooler 
than  cool,  and  the  functionality  is  impressive— a  mobile  phone, 
touch  screen  keyboard,  video  and  music  player,  Web  browser, 
camera,  e-mail  and  more,  all  in  one  pretty  little  package. 

2.  Unbounded  Curiosity 

CIOs  may  find  that  there  are  just  too  many  users  to  say  “no” 
to.  A  survey  by  M:Metrics  estimates  that  19  million  U.S.  cell 
phone  users  would  be  willing  to  pay  $599  (8GB  model)  for 
the  iPhone,  which,  it  was  reported,  is  nearly  double  the  price 
Apple  says  it  will  sell  the  device  by  the  end  of 2008. 

3.  The  iPod 

The  iPod  has  created  a  huge  market  for  MP3  players.  While 
the  Mac  claims  a  relatively  small  share  of  the  PC  market 
(between  3  percent  to  4  percent  overall,  though  Apple  claims 
12  percent  of  U.S.  notebook  sales),  Apple  has  sold  100  million 
iPods,  mostly  to  Windows  users,  according  to  Current  Analy¬ 
sis,  and  iPhone  may  be  their  next  gadget. 

4.  Executives  Such  as  Fidelity’s  Joseph  Ferra 

Ferra,  Fidelity’s  chief  wireless  officer,  welcomes  the  iPhone 
and  any  other  mobile  device  that  users  want 
to  connect  to  the  company’s  Web-based  sys¬ 
tems,  he  said  recently  at  Computer-world’s 
Mobile  &  Wireless  World  conference.  Ferra 
sees  a  time  in  the  not-so-distant  future  when 
a  device  such  as  the  iPhone  will  allow  Fidelity 
to  deliver  a  daily  market  recap  video. 

5.  Perfect  Timing 

According  to  In-Stat,  the  number  of  multi- 
media  phones  purchased  in  the  United  States 
rose  from  15  percent  in  2005  to  36  percent 
in  2007.  Manufacturers  have  been  keeping 
the  marketplace  stocked  with  devices  that 
can  straddle  consumer  and  corporate  lines— 

BlackBerry’s  Curve,  Motorola’s  Q,  Palm’s 
Treo  750  and  Samsung’s  Blackjack. 


1.  The  Cost 

For  CIOs  who  love  deep  discounts  for  bulk  purchases,  dream 
on.  AT&T  is  not  offering  any  kind  of  discount.  Apple  and 
AT&T  say  charge-by-the-month  plans  start  at  $59.99  (for  450 
minutes)  and  run  up  to  $99.99  (for  1,350  minutes). 

2.  Bug  Fears 

As  with  any  other  1.0  product,  the  potential  for  bugs  and 
problems  with  iPhone  1.0  could  turn  many  people  off.  Mean¬ 
while,  rival  RIM  has  more  than  8  million  BlackBerry  fanatics 
signed  already,  and  it  recently  delivered  new  devices  with 
more  multimedia  capabilities— the  Curve  and  the  Pearl. 

3.  Security  Issues 

The  lack  of  a  security  management  tool  to  enforce  enterprise 
policies  about  device  connectivity  poses  a  big  worry,  CIOs  say. 

4.  Carrier,  Content  and  Network  Issues 

Because  AT&T  is  the  exclusive  wireless  carrier  of  the  iPhone, 
there’s  been  much  grumbling  about  the  two-year  contract  and 
the  fact  that  the  iPhone  will  run  on  AT&T’s  EDGE-based  data 
network,  which  many  analysts  point  out  has  slower  speeds 
than  3G— and  has  been  called  ancient  by  some. 

-Thomas  Wailgum 


Not  on  My  Network 

i  p  h  o  n  e  The  gadget  du  jour  has  a  long  way  to  go  before  making 
enterprise  IT  swoon,  as  116  of  you  revealed  in  a  CIO.com  poll. 

In  my  IT  department,  the  iPhone  will  be: 


Banned  (unless,  of  course, 

_  _  the  CEO  wants  one...) 

Avoided  if  at  all  possible 
For  more  on  the  iPhone  and  your  enterprise,  see  “ Blowing  Mobile,  ”  Page  25. 


Welcomed  with  open  arms 


Accepted,  but  with  strict  policies 
about  use  of  company  resources 
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THE  RIGHT  SUPPORT  CAN  MAKE  ALL  THE  DIFFERENCE 


What’s  driving  your  success?  For  many  leading  organizations,  it’s  having  a  single  resource  for 
planning,  deploying  and  managing  their  IT  solutions.  Insight's  breadth  of  experience  can  help  you 
address  your  complete  technology  needs.  Gain  a  trusted  advisor.  Gain  Insight. 
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CIO  EXECUTIVE  VIEWPOINT 

Business  Continuity 

Taking  Preventive  Measures  Helps  to  Ensure  the  Health  of  Information  Systems 


George  S.  Conklin 

CIO  and  Senior  Vice  President  for  Information  Management,  Christus  Health 

George  S.  Conklin  is  responsible  for  all  aspects  of  the  delivery  of  information  management 
and  communications  systems  services,  supporting  Christus  Health’s  delivery  network  in 
more  than  300  locations.  He  is  also  one  of  the  core  team  members  of  the  organization’s 
Futures  Task  Force,  which  sets  long-term  system  directions  based  on  future  assessments 
of  social,  technical,  environmental,  economic  and  political  factors.  In  1997,  while  CIO  of 
Integris  Health  in  Oklahoma  City,  Okla.,  Conklin  was  awarded  the  Smithsonian  Institu¬ 
tion  Face  of  Innovation  award,  in  recognition  of  the  applications  of  computers  to  medical 
decision  support. 


Ranked  among  the  top  1 0  Catholic  health 
systems  in  the  United  States  by  size,  the 
Christus  Health  system  includes  more  than 
40  hospitals  and  facilities  in  six  American 
states  and  in  Mexico,  with  assets  of  more 
than  $4.1  billion.  Here,  the  organization’s 
Senior  Vice  President  and  CIO,  George  S. 
Conklin,  explains  why  business  continuity 
and  its  partnership  with  HP’s  Business  Con¬ 
tinuity  Services  have  held  important  roles 
for  Christus  Health. 

Why  is  business  continuity  an  important 
issue  for  Christus  Health? 

Christus  Health  believes  that  informa¬ 
tion  systems  are  oiu  nervous  system  and 
what  connects  our  healthcare  system  to  our 
patients  and  partners.  Given  an  increasing 
focus  on  quality  and  cost  of  care,  and  our 
traditional  mission  to  serve,  we  believe  that 
it  is  essential  that  the  right  information  get  to 
the  right  person  at  the  right  time.  It  became 
very  clear  to  us  several  years  ago  that  we 
needed  to  establish  an  information  systems 
platform  that  was  not  only  rich  in  the  tools 
it  provided  and  the  capabilities  it  offered, 
but  also  robust  in  the  face  of  disasters.  That 
was  also  driven  home  to  us,  obviously,  'with 
Tropical  Storm  Allison  in  2001,  and  much 
more  recently  with  Hurricanes  Rita  and 
Katrina,  since  we  had  hospitals  that  were 
directly  affected  by  them. 

"We  measure  our  success 

by  our  ability  to  reach 
that  goal  of  information 
provided  anywhere,  any  time, 
at  the  point  of  care" 

As  a  healthcare  provider,  what  are  some 
of  the  unique  business  continuity  needs 
that  your  organization  has? 

In  the  past  eight  years,  Christus  Health  has 


gone  from  a  little  more  than  100  gigabytes 
to  one  petabyte  of  storage  in  our  data  center. 
It  is  expected  that  within  the  next  18  months 
to  two  years  we  will  double  that  storage 
requirement  based  in  great  part  on  all  the 
images  we  re  storing  on  a  dailv  basis.  We 
believe  we  will  be  replacing  paper  across  the 
organization  as  the  primary  mode  of  storage. 
Once  we  do  that,  we  can’t  back  off.  Change 
is  a  fact  of  life  for  us,  and  we  need  to  make 
sure  it’s  built  into  all  of  our  plans  and  direc¬ 
tion.  Business  continuity  becomes  essential 
to  our  operation  and  to  our  ability  to  provide 
good  care  24  hours  a  day,  seven  days  a 
week.  We  measure  our  success  by  our  ability 
to  reach  that  goal  of  information  provided 
anywhere,  any  time,  at  the  point  of  care. 

Why  did  Christus  Health  choose  HP  as  a 
business  continuity  partner? 

We’ve  had  a  long  relationship  with  HP — and 
with  Compaq  as  well — so  when  the  two  com¬ 
panies  consolidated,  that  association  just  got 
richer.  As  we  began  to  think  about  business 
continuity  and  disaster  recovery,  we  sent  an 
RFP  to  a  number  of  providers.  HP  floated 
to  the  top  of  the  pool  in  2005  and  was  the 
successful  candidate.  It  was  partly  related 
to  the  long-term,  positive  relationship  we’ve 
had  with  them  and  partly  because  their  RFP 
response  met  our  needs. 

What  are  some  of  the  benefits  that 
Christus  Health  has  realized  as  a  result 
of  its  partnership  with  HP? 

One  benefit  is  meeting  our  needs  and 
recognizing  those  are  evolutionarv  and 
constantly  changing.  FIP  is  not  frozen  into 
a  specific  contract  like  a  typical  outsourcer 
might.  They’ve  been  incredibly  flexible  and 
easy  to  work  with  relative  to  changes  in  the 
plan  and  refocus  of  our  interests.  Also,  we 
have  gained  access  to  an  immense  amount 
of  talent  relative  to  how  to  craft  the  business 
continuity  plan  and  environment.  I  think  it’s 


been  very  synergistic  and  positive  for  both  of 
us,  certainly  bringing  talent  to  the  table  we 
didn’t  have  here  to  design  and  implement  a 
plan,  and  enabling  them  to  learn  about  an 
industry  from  a  group  of  people  that  are  the 
best  I’ve  ever  worked  with. 


What  one  piece  of  advice  would  you  offer 
to  a  peer  in  your  industry? 

Our  healthcare  market  is  in  constant  flux. 
Expect  that  the  business  continuity  needs 
of  the  organization  will  reflect  that  con¬ 
stant  flux  as  well.  Find  a  partner  that  will 
be  flexible  with  that  and  not  box  you  into 
a  contract  and  set  of  services  that  will  be 
inflexible  and  extremely  costly  to  modify. 

For  More  Information: 

Check  out  this  white  paper,  “Integrating 
HP  Business  Continuity  and  Availabil¬ 
ity  Solutions  into  Business  Processes”, 
at  www.cio.com/whitepapers/ 
hpcontinuity 
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Smart  CIOs  use 
techniques  like 
tiering  and  iSCSI 
to  consolidate  and 
simplify  storage. 

They're  saving 
money  right  now 
and  they’ll  save 
more  in  the  future. 


More  Room 
For  Less  Money 

BY  GALEN  GRUMAN 

STORAGE  |  When  Marty  Garrison  became  CTO  of  ChoicePoint  three  years  ago,  the 
storage  situation  was  messy.  That’s  no  small  matter  at  a  company  that  manages  16  billion 
records,  such  as  background  checks  and  insurance  applications,  eating  up  two  petabytes 
of  storage— that’s  2,048  terabytes.  And  growing.  Like  many  IT  leaders,  he  faced  lots  of  data 
in  lots  of  silos.  “Storage  had  grown  organically  by  project,  and  it  was  not  managed  in  terms 
of  cost.  So  we  had  eight  to  10  SAN  [storage  area  network]  infrastructures  as  islands,  none 
of  which  could  talk  to  each  other.  We  couldn’t  share  storage  space  across  islands,  and  we 
couldn’t  tier  our  data,”  he  recalls. 

The  silos  meant  there  could  be  no  cost  efficiencies  from  bulk  purchases,  from  better  utiliza¬ 
tion  of  the  existing  storage  capacity  or  from  a  unified  management  approach  that  would  lower 
staffing  needs.  So  Garrison  created  a  central,  common  storage  architecture  and  strategy.  He 
removed  storage  management  responsibilities  from  local  Unix  administrators  and  hired  dedi¬ 
cated  storage  experts  to  manage  responsibilities  globally.  He  consolidated  the  SANs  into  one, 
reducing  management  costs  and  allowing  more  efficient  data  utilization.  He  pared  down  the 
vendors  to  just  a  couple  for  each  type  of  technology.  That  let  him  simplify  management  and 
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buy  in  bulk,  to  get  greater  discounts.  When 
you  buy  hundreds  of  terabytes  of  storage 
each  quarter,  Garrison  says,  “it  really  does 
drive  costs  down.” 

He  also  introduced  tiering,  which  uses 
cheaper,  slower  drives  for  data  that  doesn’t 
need  the  highest  level  of  availability.  “Before 
that,  we  had  done  no  performance  testing 
to  determine  service  requirements.  The 
staff  played  it  safe  and  got  Tier  1  Hitachi 
and  EMC  disks  for  everything,”  Garrison 
recalls— at  nearly  double  the  price  per  tera¬ 
byte  as  Tier  2  or  Tier  3  disks.  Altogether, 
he  has  slashed  storage  costs  by  40  percent, 
both  for  the  disks  themselves  and  for  the 
management  overhead.  And  he’s  not  had  to 
significantly  grow  his  staff  despite  escalat¬ 
ing  storage  requirements. 

Garrison  is  now  exploring  new  ways 
to  keep  costs  in  check,  including  storage 
virtualization  and  single-instance  storage. 
“Now  it’s  time  to  go  into  the  next  phase,” 
he  says. 

You  must  move  to  a  simplified  storage 
architecture  to  reduce  total  cost  of  owner¬ 
ship,  analysts  say.  Even  as  the  cost  of  new 
storage  media  decreases  at  up  to  34  per¬ 
cent  annually,  the  cost  of  rising  capacity 
and  service  level  demands  can  exceed 


true  for  the  use  of  SANs. 

One  increasingly  popular  category  of 
savings  comes  from  replacing  tape  backup 
with  disk  backup  (also  called  virtual  tape 
libraries),  says  Dave  Dillehunt,  CIO  of  the 
integrated  delivery  network  FirstHealth  of 
the  Carolinas.  Tape  capacity  has  not  kept  up 
with  hospital  storage  requirements— about 
185  terabytes  at  FirstHealth— and  physi¬ 
cally  managing  the  tapes  has  become  too 
burdensome,  he  says.  A  caveat:  One  dan¬ 
ger  in  relying  on  disk-based  backup  is  the 
temptation  to  keep  the  data  online  (which 
can  overload  storage  networks,  because 
people  will  use  the  data  if  it  is  available). 
That’s  why  Dillehunt  keeps  the  disk  backup 
disconnected  from  the  rest  of  the  network. 

If  your  storage  needs  are  modest,  tape 
does  continue  to  make  sense  because  the 
medium  cost  is  so  much  less,  notes  Rich 
O’Neal,  senior  vice  president  of  opera¬ 
tions  at  the  online  rewards-tracking  site 
Upromise.  That’s  the  case  for  his  4  tera¬ 
bytes  of  data. 

Of  the  established  approaches,  tiering 
offers  the  most  significant  bottom-line  ben¬ 
efit,  says  Gartner’s  Buchanan.  It  not  only 
lets  you  increase  the  amount  of  cheap  stor¬ 
age  relative  to  expensive  storage  that  you 


“Tiering  forces  you  to  understand 
the  service  levels  for  al  I  your  data.” 

-Stewart  Buchanan,  research  director,  Gartner 


60  percent,  says  Stewart  Buchanan,  a 
research  director  at  Gartner.  “Enterprises 
need  more  business  discipline  in  IT  asset 
management  of  storage,”  he  says. 

Lay  the  Right  Foundation 

The  good  news:  CIOs  have  more  stor¬ 
age  choices,  and  more  mature  choices, 
than  they  did  just  a  few  years  ago.  Some 
approaches  that  were  once  novel  and 
untested,  such  as  tiered  storage  and  its 
related  archival  approach  of  hierarchical 
storage  management,  are  now  proven, 
says  Nik  Simpson,  a  storage  analyst  at  the 
Burton  Group  consultancy.  This  is  also 


use  but  also  forces  you  to  understand  the 
service  levels  for  all  your  data.  Then  you 
can  reduce  costs  by  deleting  or  at  least  not 
backing  up  unneeded  data.  You  can  move 
rarely  used  data  to  offline  storage  to  keep 
network  traffic  under  control.  And  you 
can  begin  to  manage  demand  by  users,  by 
showing  them  the  entire  data  lifecycle  costs 
for  their  requested  applications.  “Tiering 
lets  you  find  the  total  cost  of  ownership  of 
your  storage,”  he  says. 

A  good  target:  Keep  30  percent  of  your 
data  in  Tier  1  storage  and  the  rest  at  lower 
tiers,  advises  Burton  Group’s  Simpson, 
though  the  exact  ratio  depends  on  the  per- 
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Many  of  the  technologies  to  support 
structural  storage  efficiencies  are 
widely  available,  such  as  storage 
area  networks  (SANs),  disk-to-disk 
backup  (also  called  virtual  tape 
libraries)  and  tiered  storage.  "You 
can  use  your  existing  vendors  for 
these  if  you  don't  want  to  work  with  a 
startup,"  says  Nik  Simpson,  a  storage 
analyst  at  the  Burton  Group. 

Providers  of  both  fibre  channel  and 
iSCSI  products  include  3Par,  Cormpel- 
lent,  EMC,  Hewlett-Packard,  Hitachi 
Data  Systems,  IBM,  Network  Appli¬ 
ance  (NetApp)  and  Sun  Microsystems. 
LeftHand  Networks  and  Symantec  offer 
software  for  such  networks,  while  San- 
rad  offers  an  appliance  to  interlink  the 
two  technologies.  Providers  of  iSCSI- 
only  SANs  include  EqualLogic,  Isilon 
Systems  and  Pillar  Data  Systems. 

For  the  recently  emerged  area  of 
network  storage  virtualization,  main¬ 
stream  providers  include  EMC,  HP, 
Hitachi,  IBM,  LSI,  NetApp  and  Sun, 
"NetApp  and  Hitachi  are  at  the  top  of 
my  list,  and  IBM  is  a  reasonable  third,” 
says  Simpson.  Software-only  providers 
include  DataCore  Software,  FalconStor 
Software,  Incipient  and  Symantec. 

In  the  also  emerging  area  of 
single-instance  storage  and  dedupli¬ 
cation,  leading  players  include  Data 
Domain,  Diligent  Technologies,  EMC, 
ExaGrid,  FalconStor,  NetApp,  Quan¬ 
tum  and  Sepaton.  -G.G. 

formance  and  availability  requirements 
for  your  data. 

It’s  critical  for  the  CIO  to  make  sure  that 
business  takes  responsibility  for  its  data 
demands.  “It’s  not  the  role  of  the  storage 
team  to  define  the  data  requirements— 
that  has  to  go  to  business  management,” 
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Buchanan  says.  But  the  CIO  has  to  lay  the 
groundwork  by  having  effective  asset  man¬ 
agement  in  place  and  exhibiting  efficiency. 

Cheaper  Storage  Networks 
Through  iSCSI 

Among  newer  technologies  that  can  help 
reduce  storage  costs,  the  most  notable  in 
recent  years  is  iSCSI  (Internet  Small  Com¬ 
puter  System  Interface).  A  type  of  storage 
that  connects  drives  to  each  other  and  to 
servers  using  a  simple,  easy-to-manage 
protocol,  it  lets  organizations  of  all  sizes 
deploy  SANs.  Before  iSCSI,  the  major  SAN 
option  was  fibre  channel,  but  “fibre  chan¬ 
nel  is  not  suited  outside  larger  enterprises,” 
Simpson  notes,  because  of  its  complexity 
and  its  high  management  cost. 

The  simplicity  and  fit  of  iSCSI  for  a  larger 
range  of  organizations  make  it  the  fast¬ 
est-growing  interconnect  technology  for 
storage,  reports  IDC  (a  sister  company  to 
CIO’s  publisher);  the  research  firm  expects 
25  percent  of  all  external  storage  sold  in 
2011  to  be  iSCSI-based. 

Regional  accounting  firm  Schenck  Busi¬ 
ness  Solutions  dropped  its  EMC  fibre 
channel  array  three  years  ago  because  of 
its  complexity,  replacing  it  with  an  Equal- 
Logic  iSCSI-based  SAN.  “We  had  struggled 
with  configuration  and  day-to-day  usage,” 
recalls  CIO  Jim  Tarala.  Since  then,  the 
company’s  storage  capacity  has  increased 
about  330  gigabytes  to  20  terabytes.  But 
he’s  got  a  handle  on  overall  cost.  “We  spent 
approximately  120  percent  of  what  we  did 
on  the  EMC  gear  (330  gigabytes)  to  get  the 
EqualLogic  (20  terabytes)  and  our  manage¬ 
ment  costs  are  a  maximum  of  60  to  65  per¬ 
cent  of  what  they  were  previously,”  Tarala 
says.  He  expects  to  upgrade  the  storage  to 
30  terabytes  soon. 

Associated  Bank,  which  serves  several 
Midwestern  states,  had  a  similar  experience. 


Better  Data  Governance 


For  related  advice  on  your  data  strategy, 

see  SIX  STEPS  TO  DATA  GOVERNANCE 
SUCCESS  at  www.cio. com/article/114750. 
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In  2005,  it  needed  to  rethink  its  storage 
strategy  to  prepare  for  volumes  of  expected 
image  data  such  as  electronic  check  images 
and  customer  records,  since  the  bank  was 
implementing  a  program  to  let  customers 
start  an  application  at  one  branch  and  finish 
it  at  any  other.  When  the  storage  initiative 
began  in  2005,  the  bank  had  about  20  tera¬ 
bytes  of  data;  it  now  has  300  terabytes. 

The  bank  built  its  SAN  using  iSCSI 
arrays  because  it  wanted  an  IP-based  net¬ 
work  to  take  advantage  of  its  staff’s  existing 
networking  skills,  recalls  Preston  Peterson, 
the  assistant  vice  president  of  infrastruc¬ 
ture  design.  Still,  just  in  case  fibre  channel 
becomes  necessary  later  on,  the  bank  made 
sure  its  Compellent  storage  arrays  could 
support  both  fibre  channel  and  iSCSI. 

The  move  to  iSCSI  did  raise  questions, 
notes  Kory  Kitowski,  the  bank’s  vice  presi¬ 
dent  of  IT.  For  example,  engineers  from 
Microsoft  and  other  vendors  weren’t  famil¬ 
iar  with  iSCSI,  so  they  questioned  unfamil¬ 
iar  server  and  SAN  settings  when  installing 
or  troubleshooting  their  own  products. 
Internally,  despite  having  IP-sawy  IT  staff, 
the  bank  still  needed  to  reeducate  the  stor¬ 
age  administrators.  “We  went  through  a 
major  paradigm  shift,”  Kitowski  says. 

But  the  result  was  a  30  percent  overall 
savings  to  what  they  had  expected  to  spend 
using  traditional  SANs,  Peterson  says. 

Even  within  large  enterprises,  there’s  no 
longer  a  need  to  rely  solely  on  fibre  chan¬ 
nel,  says  ChoicePoint’s  Garrison,  who  uses 
either  iSCSI  or  fibre  channel,  based  on  the 
specific  storage’s  availability  needs. 

Prepare  for  the  Next  Wave 

As  enterprises  get  these  structural  changes 
in  place,  both  Simpson  and  Buchanan 
advise  that,  for  further  savings,  CIOs 
should  begin  looking  at  two  emerging  tech¬ 
nologies:  network  storage  virtualization 
and  single-instance  storage.  Network  stor¬ 
age  virtualization  moves  management  out 
of  the  arrays  and  other  disk  hardware,  and 
implements  it  as  part  of  the  SAN’s  operat¬ 
ing  environment.  This  lets  IT  treat  all  the 
disks  as  a  virtual  resource  pool. 

Single-instance  saves  on  storage  by 


By  2011, 
nearly 


for  capacity 
rather  than 
performance. 

SOURCE:  IDC 


keeping  just  one  copy  of  data  in  your  front¬ 
line  systems  (such  as  application  servers), 
substituting  pointers  to  the  source  for  any 
copies,  while  the  related  deduplication 
technology  saves  just  one  copy  of  a  file  or 
data  block  during  backup  or  archiving  and 
substitutes  pointers  for  any  later  copies 
found.  Long  available  for  e-mail  servers, 
single-instance  technology  is  becoming 
available  as  a  feature  both  in  backup  and 
archival  systems  and  in  frontline  storage 
systems,  notes  Burton  Group’s  Simpson. 

But  several  factors  limit  these  technol¬ 
ogies’  adoption,  says  Gary  Fox,  national 
practice  director  for  the  consultancy 
Dimension  Data. 

Fox  says  that  network  storage  virtualiza¬ 
tion  technology  proves  complex  to  manage, 
despite  vendors’  characterization  of  it  as 
plug-and-play. 

As  for  single-instance  storage  technol¬ 
ogy,  data  loss  worries  surround  the  pointer 
approach;  most  companies  are  in  pilot  mode 
for  it,  Fox  says.  Also,  the  technology  comes 
primarily  from  startup  vendors,  though 
Fox  expects  that  to  change.  Still,  despite 
its  nascency,  “We  see  a  lot  of  interest  from 
clients,”  he  says.  After  all,  they  also  foresee 
continued  unbridled  storage  growth.  BID 


Galen  Gruman  is  a  frequent  contributor  to  CIO.  You 
can  reach  him  at  ggruman@zangogroup.com. 
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Everyone  agrees  the  future  of  global  business 
is  mobile,  but  America  has  a  lot  of  catching  up 
to  do  when  it  comes  to  adopting  mobile  devices 
and  strategies  by  thomas  wailgum 

WHEN  FIDELITY'S  JOSEPH  FERRA  IMAGINES  HOW  U.S.  CUSTOMERS  WILL 
do  business  with  the  investment  services  giant  in  the  not-so-distant  future,  he  has  no  doubt  that  most  will 
be  doing  it  through  a  mobile  device.  As  the  company’s  chief  wireless  officer,  he’s  naturally  bullish  about 
mobile  services. 

And  with  good  reason:  Worldwide  research  and  Fidelity’s  own  data  show  the  number  of  mobile  users 
and  devices— such  as  cell  phones,  smart  phones  and  handhelds— is  exploding.  Market  researcher  In-Stat 
reported  more  than  2.6  billion  mobile  subscribers  worldwide  in  2006;  accord¬ 
ing  to  the  451  Group,  several  vendors  estimate  there  are  some  600  million 
global  mobile  office  users. 

Fidelity  itself  has  more  than  1  million  U.S.  customers  wirelessly  accessing 
Web-based  tools  through  its  Fidelity  Anywhere  product,  allowing  customers 
to  receive  market  data  (including  real-time  stock  quotes  or  alerts),  access  their 
401(k)  accounts,  make  trades  or  check  portfolio  balances,  among  other  things. 

“And  people  want  to  do  more,”  Ferra  says.  ‘“I  do  this  on  Fidelity.com,’  they  say. 

‘I  want  to  do  this  on  my  mobile  device.’” 

In  the  United  States,  Fidelity  is  at  the  forefront  of  mobile  device  use  because  it  has  incorporated  mobile- 
specific  design  and  functionality  into  its  Web-based  products  since  1998.  “We  got  in  this  space  very  early,” 
says  Ferra.  Fidelity  has  also  created  a  device-agnostic  environment:  BlackBerry  8800,  Motorola  cell  phone, 
HP  PDA,  even  the  iPhone— all  are  welcomed  by  Ferra ’s  systems. 

That’s  not  to  say  there  haven’t  been  speed  bumps  though.  Early  on,  mobile  customers  “were  typing  in 
Fidelity.com,  and  they  were  just  getting  the  upper  left  corner  on  their  screen,”  Ferra  recalls.  “That’s  not  a 
great  user  experience.”  ►  ► 
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Mobile  Computing 


That  problem  has  been  fixed,  but  when 
it  comes  to  serving  mobile  users,  most  U.S. 
companies  “have  been  able  to  get  away  with 
miserably  designed  software  applications,” 
says  Web  usability  expert  Jakob  Nielsen,  a 
principal  of  the  Nielsen  Norman  Group. 

In  fact,  when  it  comes  to  mobile  devices, 
mobile  services  and  the  infrastructures 
that  support  them,  the  United  States  trails 
the  rest  of  the  world.  And  that  may  cause 
trouble— big  trouble— for  American  busi¬ 
ness  in  the  not-too-distant  future. 

Why  We’re  Out  of  Step 

BlackBerry  addicts  aside,  corporate 
America’s  lack  of  enthusiasm  for  mobile 
stands  in  stark  distinction  to  the  rest  of 
the  developed  world,  particularly  Japan, 

India,  South  Korea  and  most  of  Europe. 

“I  hesitate  to  call  the  U.S.  a  laggard,  but 
it’s  a  different  cultural  environment,”  says 
Bill  Hughes,  a  principal  analyst  at  In-Stat. 

In  Asia,  for  example,  companies  aren’t 
overly  concerned  when  their  employees 
bring  mobile  devices  into  the  workplace. 

It’s  just  a  part  of  the  mobile  device  cul¬ 
ture,  says  Tony  Rizzo,  research  director 
of  mobile  technology  at  the  451  Group. 

“There’s  very  little  enterprise  control,”  he 
says,  “especially  not  from  the  top  down.” 

In  the  United  States,  however,  security¬ 
conscious  CIOs  have  tried  to  keep  device 
proliferation  and  network  vulnerabilities 
in  check  by  limiting  which  devices  can 
access  corporate  networks. 

Those  differences  in  culture  and  adop¬ 
tion  may  become  more,  not  less,  pro¬ 
nounced  in  the  future.  By  2009  more 
people  in  Asia  will  have  made  their  first 
phone  call  on  a  mobile  device  than  on  a 
landline;  by  2010,  more  of  those  same 
people  will  initially  access  the  Internet  on 
a  mobile  device  and  not  a  PC,  says  Scott 
Cooper,  senior  VP  of  mobility  for  Nokia 
Enterprise  Solutions. 

“In  India  and  China,  they  completely  skipped  the  wired  Inter¬ 
net,”  Cooper  says. 

If  America  wants  to  do  business  in  Asia  (and,  of  course,  it  does), 
it  will  have  to  go  mobile,  and  savvy  U.S.  CIOs  recognize  that.  They 
understand  that  the  global  business  is  a  mobile  one. 

But  for  CIOs,  getting  to  that  future  involves  multiple  challenges. 
On  the  customer-facing  side,  they  need  to  design  products  and  ser¬ 
vices  tailored  to  the  mobile  world,  and  enable  new  kinds  of  connec¬ 
tions  (such  as  text  messaging  and  video)  to  their  constituents. 


On  the  internal  user  front,  CIOs  need 
to  overcome  security  concerns,  figure 
out  how  to  manage  a  plethora  of  devices, 
reduce  exorbitant  wireless  costs,  manage 
integration  and  business  continuity  chal¬ 
lenges  between  wireless  and  HQ  networks, 
and  prepare  for  new  user  demands  such 
as  unified  messaging.  “Consumers  are 
driving  enterprises  to  adapt  to  and  adopt 
mobile  technologies,”  says  Rizzo.  “And  in 
that  way,  mobility  in  the  enterprise  is  really 
following  consumers.”  IDC  (a  sister  com¬ 
pany  to  CIO’s  publisher)  estimates  that  by 
2009, 878  million  workers  will  be  access¬ 
ing  corporate  networks  via  a  rainbow  of 
mobile  devices,  and  uploading  and  down¬ 
loading  a  mix  of  data,  voice  and  video. 

Doing  all  this  won’t  be  easy,  but  as  Fidel¬ 
ity’s  Ferra  notes,  there’s  not  really  much 
choice.  Companies  will  have  to  offer  lots 
of  mobile  options  to  their  customers  and 
users  if  they  expect  to  remain  competitive. 
“Once  customers  get  hooked  [on  mobility],” 
Ferra  says,  “it  becomes  contagious.” 

The  question  for  CIOs,  therefore,  is 
not  if  they  should  make  their  enterprises 
mobile-ready,  but  when.  And  how. 

A  BlackBerry  Doesn’t  Make  You  Mobile 

The  seeds  of  mobile  business  were  planted 
in  the  1980s  with  the  appearance  of  large 
cellular  radio  phones  used  mainly  by  the 
rich  and  famous  (think  of  Gordon  Gekko 
on  the  beach  in  1987’s  Wall  Street).  Cell 
phones  started  shrinking  just  as  20-pound 
laptops  entered  the  market  in  the  1990s— 
the  next  status  symbol  for  the  corporate 
elite.  As  mobile  phones  and  laptops  kept 
slimming  down,  the  BlackBerry  blew  in 
from  Canada  in  1999. 

The  BlackBerry’s  sticky  and  addictive 
nature,  its  ease  of  integration  on  the  back 
end  and  its  robust  security  features  con¬ 
tribute  to  its  meteoric  rise  (9  million  users 
and  counting).  “Businesspeople  see  it  as  a  requirement  just  as  they 
do  a  desk  phone,”  boasts  Mike  Lazaridis,  president  and  co-CEO  of 
Research  In  Motion,  BlackBerry’s  maker.  But  not  everyone  saw  the 
BlackBerry’s  potential  in  the  early  days. 

“I  was  the  first  in  my  firm  to  have  a  BlackBerry,”  says  Steven  Som¬ 
mer,  CIO  and  CTO  of  law  firm  Hughes  Hubbard  &  Reed,  which  has 
330  lawyers  worldwide.  “I  tried  to  give  one  to  my  boss,  and  he  said, 
‘Get  out  of  here.  I  want  to  carry  around  my  20-pound  laptop.’” 

A  2007  Economist  Intelligence  survey  of  532  global  executives 
(more  than  80  percent  from  outside  the  United  States)  found  that  the 


iPhone  in  the 

Enterprise? 

AFTER  ONE  OF  THE  MOST  HYPED 
product  launches  ever,  the  ques¬ 
tion  arises:  Should  CIOs  “play  nice" 
with  the  iPhone  crowd? 

Much  has  been  written  about 
how  enterprise  unfriendly  the 
iPhone  is.  Security,  cost  and  “Mac 
versus  PC"  reasons  top  the  list  of 
complaints,  but  there  are  other 
issues  CIOs  need  to  consider,  say 
analysts. 

“Push  corporate  e-mail  is  not 
supported,  there  is  no  third-party 
application  library,  and  there  is  no 
way  for  corporate  developers  and 
[independent  software  vendors]  to 
write  them,”  writes  Avi  Greengart, 
principal  analyst  at  Current  Analy¬ 
sis,  in  a  report.  “There  is  a  signifi¬ 
cant  learning  curve  on  the  virtual 
keyboard,  after  which  it  always 
remains  difficult  to  enter  URLs, 
passwords  and  names  that  are  not 
in  your  address  book.” 

Greengart  notes  that  while 
the  smart  phone  is  aimed  at  con¬ 
sumers,  many  have  work  e-mail 
accounts  and  will  want  to  access 
them.  Some  vendors  have  already 
developed  workarounds  for  con¬ 
necting  to  corporate  e-mail,  but 
security  questions  remain.  Looking 
ahead,  he  contends  the  onus  is 
on  Apple  to  explain  to  IT  manag¬ 
ers  and  their  users  how  to  access 
corporate  e-mail  accounts,  and  to 
provide  robust  security  controls. 

-T.W. 
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top  mobile  device  inside  their  companies  was  a  conventional  mobile 
phone  (62  percent).  Lagging  in  second  place  was  a  Wi-Fi-enabled 
laptop  at  44  percent.  The  survey  suggests  that  the  mobile  phone  is 
king  and  the  way  in  which  international  business  “gets  done.” 

In  the  United  States,  however,  the  laptop  is  still  considered  essen¬ 
tial.  “I  would  like  nothing  better  than  to  not  have  to  carry  my  laptop 
[on  business  trips],”  says  Steven  McIntosh,  senior  vice  president 
and  CIO  at  Jackson  Enterprises,  which  has  20  wineries  worldwide. 
Like  many  businesspeople,  he  uses  his  PDA  whenever  possible,  but 
connectivity  issues  require  him  to  carry  his  laptop  as  a  backup. 

The  laptop  flourished  in  the  United  States  in  part  because  it  cost 
less  here  than  in  other  parts  of  the  world.  Ten  years  ago,  laptop  prices 
in  Europe  were  double  the  U.S.  price.  Mobile  phones  emerged  as  a 
way  of  life  in  Europe  and  Asia  because  they  were  much  cheaper,  and 
demand  for  service  pushed  those  countries— which  were  less  geo¬ 
graphically  dispersed  than  the  United  States  and  easier  to  blanket 
with  wireless  signals— to  invest  heavily  in  their  mobile  networks. 

In  addition,  since  Asians  typically  spend  one  to  three  hours  per 
day  commuting  to  and  from  work  on  a  bus  or  train,  a  big  laptop  is 
impractical,  says  Brian  Bonner,  CIO  of  Texas  Instruments,  which 
has  operations  in  Asia  and  Europe.  Bonner  points  out  that  devices 
such  as  Nokia’s  N95  offer  Asian  users  e-mail  and  music  services, 
DVD -like  video,  a  5  megapixel  camera  and  support  for  Web  brows¬ 
ing  and  GPS  mapping,  “all  in  one  device.” 

But  Stateside,  by  not  provisioning  workers  with  integrated 
mobile  devices— and  by  not  managing  or  standardizing  them— 


business  has  created  a  culture  of  mobility  in  multiples.  Overbur¬ 
dened  knowledge  workers  may  carry  a  laptop,  cell  phone,  PDA, 
MP3  player  and  digital  camera  at  the  same  time.  Which  raises  the 
question:  How  untethered  are  you  if,  on  a  business  trip,  you  have  to 
lug  a  laptop,  have  your  BlackBerry  in  hand,  a  mobile  phone  attached 
to  your  belt  and  whatever  other  device  you  might  need? 

In  the  United  States,  the  typical  corporate  “policy”  has  been:  “Let 
the  employees  buy  their  own  phones  and  use  their  business  judg¬ 
ment,  and  we’ll  reimburse  them  for  their  itemized  business  calls.” 

“I  like  to  say  that  they’re  pursuing  a  strategy  of  trying  to  save 
money  no  matter  how  much  it  costs,”  says  In-Stat’s  Hughes.  His 
recent  report  signaled  a  dangerous  inflection  point  if  wireless  mis¬ 
management  continues:  U.S.  corporate  spending  on  wireless  voice 
and  mobile  data  services  will  exceed  spending  on  all  wired  voice 
and  data  services  by  2010. 

The  Problem  With  Your  Carrier 

For  most  U.S.  businesspeople  and  consumers,  the  difficulty  of  sim¬ 
ply  making  the  wireless  connection  with  each  other  and  the  home 
office  network  has  been  a  significant  and  limiting  factor  of  mobile 
adoption.  In  this  sense,  the  wireless  carriers  have  been  the  elephant 
in  the  mobile  room. 

Most  of  the  frustration  with  carriers  stems  from  three  areas: 
inconsistent  networking  standards  among  competitors,  the  two- 
year  customer  lock-in  agreement  (which  is  unique  to  the  United 
States),  and  the  slower  speeds  and  smaller  bandwidth  connections 


Devices  at  IT’s  Door 

Knowledge  workers  are  eyeing  more  multimedia-capable  devices.  Here's  the  skinny. 


Enterprise  strengths 

Enterprise  weaknesses 

Wireless  carrier/Price 

Apple  iPhone 

Lots  of  multimedia  functionality 
all  in  one  device;  GSM-  and  Wi-Fi- 
ready;  touch  keyboard 

Security  concerns;  cost; 
touch  screen  is  made  of 
glass 

AT&T;  $499,  $599 
(depending  on  model) 

BlackBerry  Curve  8300 

Multimedia  features  (audio  and 
video);  user  familiarity  with  RIM;  IT 
policies  can  be  hardwired  into  each 
device;  full  qwerty  keyboard 

No  support  for3G  ser¬ 
vices  and  Wi-Fi;  no  GPS 
capabilities 

AT&T;  $199.99 

Motorola  Q 

Windows  Mobile  5.0;  EV-DO;  full 
qwerty  keyboard;  all-digital  net¬ 
work;  removable  memory  card  slot 

No  Wi-Fi  integration 

Sprint  and  Verizon  Wireless; 
$99.99  and  $174.99 
(respectively) 

Samsung  Blackjack 

Windows  Mobile  5.0;  full  qwerty 
keyboard;  simultaneous  voice  and 
data  capabilities;  3G-ready 

No  Wi-Fi  integration;  tight 
design  and  some  navigation 
issues 

AT&T;  $74.99 

Palm  Treo  750 

Windows  Mobile  5.0;  full  qwerty 
keyboard;  simultaneous  voice  and 
data  capabilities;  3G-ready 

Short  battery  life  concerns; 
non-MS  Exchange  shops  can 
have  setup  headaches 

AT&T;  $199.99 

SOURCES:  Company  websites:  CI0.com  device  reviews  (www.cio.com/article/106306):  CIO  reporting 
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on  those  networks.  “Mobile  networks  are 
incredibly  bad  in  the  United  States  com¬ 
pared  with  Europe  and  the  more  advanced 
countries  in  Asia,”  says  Nielsen. 

In  Japan,  for  example,  they’re  pushing 
fourth-generation  (or  4G)  speeds,  says  the 
451  Group’s  Rizzo.  “But  here  in  the  U.S.,  we’re 
patting  ourselves  on  the  back  for  3G.” 

It’s  a  different  story  in  most  of  Asia,  Rizzo 
says.  There,  demand  for  new  devices  and 
the  latest  content  has  fostered  better,  faster 
networks  as  well  as  new  types  of  service 
providers.  Sommer  from  Hughes  Hubbard 
&  Reed  hears  about  the  differences  between 
U.S.  and  Japanese  wireless  technology 
from  the  firm’s  Japanese  attorneys.  “Their 
screens  are  always  better  than  ours,”  he 
says.  “And  the  phones  are  so  fast.” 

Until  recently,  there  hasn’t  been  as  much 
demand  in  the  United  States  for  multime¬ 
dia  mobile  services,  so  the  carriers  haven’t 
been  as  quick  to  upgrade  networks  and 
service  offerings. 

Businesses  have  also  been  lukewarm 
about  partnering  with  the  mobile  opera¬ 
tors.  “In  the  U.S.,  enterprises  hate  the  car¬ 
riers,”  says  Rizzo.  “They  think  that  the 
wireless  carriers  and  landline  carriers  are 
nothing  more  than  dumb  pipes.” 

But  change  is  on  the  horizon.  Early  this 
year,  Verizon  Wireless  launched  its  EV-DO 
(or  Evolution-Data  Optimized)  3G  service, 
which  delivers  data  and  multimedia  ser¬ 
vices  at  much  faster  speeds  than  before. 

Other  wireless  carriers  have  followed  suit 
and  increased  their  network  capabilities 
(although  not  to  all  areas  of  the  country). 

According  to  Rizzo,  there’s  been  a  notice¬ 
able  uptake  in  demand  for  EV-DO-enabled  services  from  consum¬ 
ers  but  also  from  enterprises. 

But  even  with  all  of  the  latest  bells  and  whistles,  “dead  zones” 
in  U.S.  mobile  coverage  areas  and  dropped  calls  are  still  pervasive. 
“It’s  not  that  Americans  are  less  mobile  than  anyone  else,”  explains 
Nielsen.  “But  even  now,  with  just  making  a  cell  phone  call,  we  don’t 
have  a  stable  resource.  And  that  one  thing  explains  it  all.” 

Your  Customers  They  Are  a-Changin' 

Athough  the  song  “The  Times  They  Are  a-Changin’”  was  written 
for  the  generation  on  its  way  out  of  corporate  America  right  now, 
it  also  applies  to  the  generation  making  its  way  in.  And  nowhere  is 
there  more  demand  for  faster,  better  and  cheaper  mobile  services 
than  with  the  millennial  generation  (those  born  between  1977  and 
1994)  now  banging  on  business’s  front  door. 

“The  rate  of  mobile  adoption  [among  millennials]  has  been 


nothing  short  of  spectacular,”  says  Rizzo. 
“They’re  demanding  that  enterprises  pro¬ 
vide  a  mobile  capability.” 

He  describes  the  technological  needs 
of  this  group  as  a  “mobilized  social  net¬ 
working  environment.”  Their  world  is 
one  of  constant  connection  (IM,  voice,  text 
messaging,  Bluetooth  and  location-based 
technologies),  lots  of  sharing  of  documents 
and  photos,  as  well  as  significant  end  user 
adoption  of  services  like  mobile  banking 
(all  of  which  give  security-conscious  CIOs 
a  huge  migraine). 

Another  emerging  area  receiving  a  lot 
of  attention  by  millennials  is  unified  mes¬ 
saging,  which  means  that  any  handheld 
device  can  act  as  a  universal  inbox  for  all 
communications:  wire-line  and  wireless 
voice  mail,  e-mail,  IM,  text  messaging 
and  location-based  services.  With  this 
new  generation  of  office  workers,  uni¬ 
fied  messaging  will  be  viral  in  its  spread, 
says  Richard  LeVine,  a  senior  manager 
at  Accenture.  “It’s  pointless  to  know  how 
you  send  or  receive  the  message;  it’s  more 
important  just  to  know  that  they  got  it.” 

Not  only  will  these  “prosumers”  (power 
technology  users  and  consumers)  be  your 
employees,  but  they’ll  also  be  your  cus¬ 
tomers.  UPS  has  been  a  wireless  pioneer 
in  the  shipping  industry,  offering  such 
equipment  to  its  drivers  and  package  sort¬ 
ers  for  years.  It  made  its  first  foray  into  the 
wireless  space  for  its  customers  in  1999, 
enabling  Palm  VII  organizers  to  view 
tracking  and  drop-off  location  data.  Now, 
of  the  40  services  UPS  offers  through 
www.myups.com,  it  boasts  four  wireless 
services  to  its  customers  and  business  partners.  Customers  can 
wirelessly  track  packages,  find  UPS  drop-off  locations,  calculate 
shipping  rates  and  determine  transit  times  for  shipments.  UPS 
also  expanded  its  wireless  tracking  program  in  43  countries  and 
ensured  that  any  wireless  device  can  link  to  UPS  shipping  data. 

Jeff  Reid,  UPS’s  director  of  customer  technology  marketing  of 
wireless  services,  says  a  big  push  has  come  from  the  millennials 
and  from  working  with  business  partners  that  have  a  younger 
customer  base.  Businesses  that  use  UPS  products  can  offer  their 
customers  package-tracking  updates  as  text  messages  (or  SMS,  for 
short  message  service)  on  their  mobile  devices.  “The  millennials 
are  driving  a  lot  of  the  SMS  usage;  it’s  become  an  expectation  with 
them,”  says  Reid. 

For  example,  Moosejaw,  an  outdoor  equipment  retailer,  is  a  UPS 
customer  with  a  predominantly  Gen  Y  customer  base.  Moosejaw 
customers  who  want  to  know  the  status  of  their  package  can  opt 


Reports  on  the 
Death  of  the 

Laptop... 

May  be  greatly 
exaggerated 

WITH  THE  INTRODUCTION  OF 
more  powerful  mobile  devices  and 
smart  phones  like  the  iPhone  in  the 
United  States,  speculation  on  the 
death  of  the  laptop  has  run  wild.  To 
many,  it  still  seems  premature. 

“There’s  no  way  the  laptop  is 
ever  going  away,”  says  Tony  Rizzo, 
research  director  of  mobile  tech¬ 
nology  at  the  451  Group,  who’s 
followed  the  wireless  and  mobile 
space  for  many  years.  Rizzo  and 
other  industry  watchers  cite  PDAs' 
limited  form  factor  and  small 
screen  size  as  the  main  reasons. 
“There’s  only  so  much  you  can  do 
on  a  BlackBerry,”  he  says. 

Even  Mike  Lazaridis,  president 
and  co-CEO  of  Research  in  Motion, 
BlackBerry's  maker,  concurs. 
“People  are  leaving  behind  their 
laptops  more  and  more,  but  you 
can’t  beat  the  giant  screen,  key¬ 
board,  mouse  and  hard  drive 
[on  a  laptop],”  he  says.  “We  never 
tried  to  replace  the  laptop  or  the 
desktop.”  -T.W. 
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“A  CIO  should  be  enabling  a  business  to  grow." 

Louie  Ehrlich 

VP  of  Strategy  and  Services  &  CIO  of  Global  Downstream,  Chevron  Corporation 
CIO  Executive  Council  Member 
(Source:  Wall  Street  Journal,  February  20,  2007) 


Members  of  the  CIO  Executive  Council  believe  it's  up  to  CIOs  to  seize  the  opportunity  to  fulfill 
the  potential  of  their  position  and  play  a  key  role  in  growing  their  businesses.  These  members 
created  the  new  Future  -  State  CIO  Program  to  advance  both  business  and  the  community  of 
CIOs  toward  this  objective. 


Order  your  Future  -  State  CIO  kit  to  sample  the  unparalleled 
assessments  and  resources  available  through  this  initiative. 
Visit  www.cioexecutivecouncil.com/futurestatecio  today. 


CIO  Executive  Council 

The  Professional  Organization  for  CIOs 


The  CIO  Executive  Council  was  created  by  readers  of  CIO  magazine  and  leaders  within 
the  community  of  CIOs  to  leverage  the  individual  and  collective  strengths  of  its  members 
to  serve  as  unbiased  and  trusted  advisors  to  each  other,  and  to  advance  the  CIO 
profession  and  its  role  in  driving  shareholder  results  for  their  respective  organizations. 

In  just  three  short  years,  the  CIO  Executive  Council  has  grown  to  more  than  480  CIOs 
worldwide,  representing  executive  leadership  in  organizations  with  approximately  $2.5 
trillion  (USD)  in  annual  revenues. 

For  information  on  membership,  please  visit  www.cioexecutivecouncil.com. 
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in  and  receive  text  message  updates  on  their 
mobile  devices.  The  goal  of  the  service,  accord¬ 
ing  to  Moosejaw,  is  to  create  the  least  amount  of 
“friction”  for  its  customers. 

Though  he  doesn’t  serve  as  many  millenni- 
als,  Sommer  from  Hughes  Hubbard  &  Reed  has 
plenty  of  users  who  want  the  “latest  and  great¬ 
est”  devices.  His  mobile  device  plan  dictates  that 
every  attorney  and  qualified  employee  receives 
a  new  BlackBerry  every  two  years.  “We  want  to 
keep  our  attorneys  up  to  date  to  match  what  the 
clients  need  and  have,”  he  says. 

In  addition,  because  the  firm  has  offices 
around  the  globe  and  attorneys  who  regularly 
travel  to  Paris  and  Tokyo,  those  attorneys  “def¬ 
initely  need  the  best  and  fastest  in  the  world 
that’s  out  there,”  he  says.  “We  don’t  want  to  be  stuck  in  a  2G  world 
when  the  4G  world  is  coming  up.” 

In  the  United  States  overall,  there  has  been  a  recent  increase  in 
the  number  of  multimedia  devices  sold.  But  even  if  more  people  are 
starting  to  buy  mobile  services  from  the  carriers,  it  doesn’t  mean 
they’re  actually  using  them.  According  to  a  recent  In-Stat  report 
(“Will  Stingy  U.S.  Multimedia  Phone  Users  Turn  Japanese?”),  there 
has  been  a  rapid  increase  in  the  number  of  multimedia  phones 
purchased  in  the  United  States  that  play  MP3  tracks  and  video  files 
(from  IS  percent  in  2005  to  36  percent  in  2007),  but  the  report  goes 
on  to  say  that  “the  growth  in  multimedia  handsets  has  more  to  do 
with  operators  pushing  multimedia  handsets  to  the  market,  rather 
than  a  strong  desire  by  consumers  to  adopt  multimedia  handsets 
or  use  multimedia  services.”  For  example,  the  report  discovered 
that  more  than  80  percent  of  users  with  handsets  that  have  these 
capabilities  rarely,  if  ever,  use  the  features. 

That  could  all  change,  however,  if  the  much-hyped  iPhone  jump- 
starts  the  market  as  the  iPod  did  for  the  MP3  market.  (See  “iPhone  in 
the  Enterprise?,”  Page  28.)  In-Stat’s  Hughes  is  hedging  his  bets  for 
now.  “I  believe  the  iPhone  will  be  moderately  successful,”  he  says, 
“but  I  don’t  believe  they’ll  get  1  percent  of  the  phone  market.” 

What’s  a  CIO  to  Do? 

CIOs  trying  to  fix  their  existing  mobile  environment  have  lots 
of  work  ahead  of  them.  According  to  Rizzo’s  estimates,  less  than 
5  percent  of  the  Global  2000  have  been  early  deployers  of  customer¬ 
facing  applications  and  Web  tools  for  mobile  devices.  Around 
20  percent  are  moving  ahead  with  “serious  levels”  of  mobility, 
and  another  25  percent  are  “thinking  about  it  but  are  going  to  sit 
back  and  move  in  2008,”  Rizzo  says.  The  other  50  percent  are  not 
doing  much  of  anything.  Rizzo’s  advice:  “Get  mobility  religion.  If 
you  don’t,  you’re  going  to  find  yourself  even 
further  behind  than  you  are  today.” 

Looming  on  the  horizon  are  4G  services, 
including  WiMax,  the  broadband  wireless 
technology  that  allows  faster  transmissions 
of  voice,  data,  music  and  video.  And  devices 
are  changing  as  well.  Smaller,  cheaper 


I  like  to  say 
that  we  need 
to  deliver  the 
information 

before  the 
light  turns 


-FIDELITY  CHIEF  WIRELESS 
OFFICER  JOSEPH  FERRA 
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handsets  and  the  new  ultramobile  PCs  will 
soon  find  their  way  onto  the  CIO’s  network. 

At  UPS,  Reid  says  that  while  customers  are 
demanding  more  wireless  services,  “the  busi¬ 
ness  case  has  to  be  there.”  His  rule  of  thumb: 
Every  enhancement  to  the  wireless  services 
should  drive  additional  packages  and,  thereby, 
increase  revenue.  In  addition,  each  decision  is 
made  on  a  country-by-country  basis. 

“There  are  services  being  introduced  in 
certain  parts  of  the  world  that  won’t  be  offered 
here,”  Reid  says.  For  example,  Asian  customers 
want  to  receive  billing  information  on  wireless 
devices.  So  far,  that  hasn’t  been  the  case  in  the 
United  States. 

To  make  sure  the  right  UPS  services  are 
targeted,  the  company  surveys  customers  about  wireless  prefer¬ 
ences,  asks  its  sales  force  about  trends  they  are  seeing,  consults 
with  research  companies  like  Forrester  and  eMarket,  and  works 
with  the  wireless  carriers  that  provide  the  services. 

“Our  customers  are  starting  to  demand  much  more  flexibility 
with  the  information,”  Reid  says.  And  whether  they’re  at  home, 
at  the  office  or  on  the  road,  “they  want  to  be  an  arm’s  length  away 
from  the  tracking  and  wireless  capabilities.” 

Fidelity’s  Ferra  is  also  feeling  that  same  level  of  mobile  demand, 
especially  the  need  for  speed.  He  says  the  attention  span  of  a  mobile 
customer  is  far  less  than  someone  on  a  PC.  “I  like  to  say  that  we  need 
to  deliver  the  information  before  the  light  turns  green,”  he  says. 

In  the  future,  Ferra  wants  to  ensure  that  when  Fidelity  customers 
access  its  services  from  a  mobile  device,  their  experience  will  be  as 
seamless  as  possible.  Three  new  features  (which  aren’t  quite  ready 
for  prime  time  just  yet)  are  indicative  of  his  future  plans. 

The  first  is  what  he  calls  device  detection.  New  technology  will 
let  Fidelity’s  systems  know  the  type  of  mobile  device  a  customer 
is  using— including  keyboard  layout  and  screen  size— so  they  will 
be  able  to  provide  a  customer  experience  tailored  for  each  device. 
GPS  capabilities  will  enable  customers  to  find  the  nearest  Fidelity 
branch  office.  Lastly,  new  wireless  devices  will  allow  customers 
to  complete  asynchronous  voice  and  data  functions  at  the  same 
time.  As  an  example,  Ferra  says  a  customer  can  check  account 
balances  on  a  device  while  simultaneously  talking  to  a  Fidelity 
customer  representative.  “That’s  really  advanced,”  says  the  451 
Group’s  Rizzo. 

Of  course,  Ferra  notes,  there  are  a  limited  number  of  hand¬ 
sets  that  can  carry  out  those  tasks  today.  But  that  hasn’t  slowed 
him  one  bit.  “I’m  a  firm  believer  that  the  predominant  way  that 
people  will  access  Fidelity  will  be  through  a  mobile  device,” 
Ferra  says.  “And  we  will  offer  them  the  best 
experience.” 

Because  if  he  doesn’t,  someone  else  will.  QI3 


Read  a  Q&A  with  Texas  Instruments  CIO 
Brian  Bonner  on  MANAGING  MOBILE 
and  wireless  devices  at  www.cio.com/ 
article/122700.  CIO.COm 


Senior  Writer  Thomas  Wailgum  can  be  reached  at 
twailgum@cio.com.  Send  feedback  on  this  article  to 
ietters@cio.com. 
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PCI  Compliance 


Building  Privacy  &  Security 
Into  your  Organization 


The  CSO  Executive  Seminar  on 


We  all  know  the  PCI  (Payment  Card  Industry)  standard  is  an  industry  guideline,  but 
make  no  mistake  about  it— every  organization  that  takes  payment  cards  is  subject  to  its 
requirements.  The  only  question  is,  to  what  degree?  There  are  significant  penalties  for 
violating  the  terms  of  PCI  and  while  most  just  result  in  modest  fines,  major  violations  can 
result  in  your  business  losing  the  ability  to  process  credit  card  transaction— that  could 
severely  impact  your  business.  If  you  are  responsible  for  your  organization’s  PCI  or  privacy 


initiatives  you  won’t  want  to  miss  this  semim 

WHO  SHOULD  ATTEND 

CSOs,  CPOs,  CISOs,  Security  Directors,  Legal 
Counsels  and  others  who  are  charged  with 
protecting  credit  card  files. 

Government  and  non-profit  officials  who 
prepare  their  organizations  for  security 
issues. 

BENEFITS  OF  ATTENDING 

A  360  degree  view  of  PCI  Compliance  including: 

•  Impact  and  Requirements  of  PCI  DSS 

•  Case  Study  for  PCI  Compliance 

•  Breaking  Down  PCI-What  is  Required 

Visit  www.csoonline.com/conferences  to  view  the 
entire  agenda. 


NEW  YORK,  NEW  YORK 
Wednesday,  September  12,  2007 

7:30am-3:45pm 
Grand  Hyatt  New  York 

Space  is  limited.  Register  today  at: 
www.csoonline.com/conferences 
or  for  more  information  call 
800.366.0246 
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The  Security  Division  of  EMC 


Cover  Story  |  Global  Security 


As  your  business  becomes 

more  collaborative  and  global, 

the  risks  to  your  company’s 

trade  secrets  rise  proportionally. 

Fortunately,  there  are  new  strategies  to  protect  the  data  that  allows  you  to  compete. 

YOUR  WORLD... 


The  call  to  Bob  Bailey,  an  IT  executive  with  a  major 
government  contractor,  came  on  an  otherwise  ordi¬ 
nary  day  in  October  2003.  “Why  are  you  attacking 
us?”  demanded  the  caller,  an  IT  leader  with  a  Sili¬ 
con  Valley  manufacturer.  He  wanted  to  know  why 
Bailey’s  company  had  launched  a  denial-of-service 
attack  against  his  network. 

Bailey  (not  his  real  name),  deputy  CIO  in  charge 
of  IT  operations,  was  thrown.  He  spent  the  next  several  hours 
reviewing  logs  and  profiling  systems.  He  discovered  that  some¬ 
one  had  taken  over  one  of  the  company’s  servers  and  was  using  it 
to  launch  attacks  against  other  companies  in  the  valley. 

After  conducting  a  forensic  review  of  the  drives,  Bailey  learned 
that  intruders  had  been  lurking  on  two  of  his  company’s  servers 
for  almost  a  year.  These  hackers,  who  were  traced  to  a  university  in 
Beijing,  had  entered  the  company’s  extranet  through  an  unpatched 
vulnerability  in  the  Solaris  operating  system.  As  far  as  Bailey  could 
tell,  they  hadn’t  accessed  any  classified  information.  But  they  were 
able  to  view  mountains  of  intellectual  property,  including  design 
information  and  product  specifications  related  to  transportation 
and  communications  systems,  along  with  information  belonging 


to  the  company’s  customers  and  partners. 

“It  was  such  a  sobering  experience,”  Bailey  says, 
not  least  because  three  years  earlier  he  had  con¬ 
ducted  a  network  security  audit  and  patched  every 
hole.  But  he  hadn’t  done  the  same  with  the  extranet. 

Bailey  will  never  know  who  hacked  his  servers. 
China’s  poorly  defended  servers  are  often  used  to 
launch  attacks.  He  likes  to  believe  that  the  culprits 
were  a  couple  of  students  who  launched  the  DoS  attacks  out  of 
boredom,  grew  bored  with  that  and  went  on  their  ways.  But  he 
knows  that  comforting  scenario  may  be  wrong.  It’s  just  as  pos¬ 
sible  that  the  intruders  were  after  his  company’s  IP.  And  they 
easily  may  have  gotten  it. 

(CIO  agreed  to  Bailey’s  request  for  anonymity  in  order  to  pro¬ 
tect  the  identities  of  his  company’s  business  partners.) 

Exposed 

According  to  cybercrime  experts,  digital  IP  theft  is  a  growing 
threat.  Although  precise  numbers  are  hard  to  come  by,  the  U.S. 
Department  of  Commerce  estimates  stolen  IP  costs  companies 
a  collective  $250  billion  each  year.  And  that  number  does  not 


Reader  ROI 

::  Why  online  IP  theft  is  a 
growing  global  threat 

::  Strategies  for  protecting 
crucial  corporate  data 

::  Howto  craft  an  incident 
response  plan 


36  AUGUST  1,  2007  |  www.cio.com 


PHOTO  ILLUSTRATION  BY  STEPHEN  WEBSTER 


Technology  Consulting  from  Accenture. 

Our  work  with  businesses  and  governments 
around  the  world  reveals  a  clear  pattern:  high 
performers  set  themselves  apart  by  positioning 
information  technology  as  a  strategic  asset 
and  a  partner  to  the  enterprise.  Findings  from 
our  comprehensive  ongoing  research  confirm 
that  pattern. 

Accenture  Technology  Consulting  helps  bridge 
the  gap  between  an  organization's  existing  IT 
capabilities  and  its  vision  for  high  performance. 
We  draw  upon  extensive  resources  and  experience 
to  enable  our  clients  to  achieve  their  goals: 

•  Aligning  IT  strategy  with  business  value 

•  Building  an  enterprise  architecture  "blueprint" 

•  Improving  service  levels  between  IT  and 
the  business 

•  Standardization,  consolidation  and 
virtualization  of  IT  infrastructure 

•  Consolidation  and  transformation  of  networks 

•  Maximizing  workplace  technologies  and 
collaboration  tools 

•  Improving  security  across  IT  infrastructure 
and  applications 

•  Renewing  legacy  applications  to  achieve 
greater  flexibility  and  performance 

•  Improving  IT  processes 

•  Engineering  performance  into  system  and 
application  development  life  cycles 

To  learn  more  about  Accenture  Technology 
Consulting,  visit  aeeenture.com/technology 


s  grow,  so  does  the  pressure  on  CIOs  to 
:stment  decisions.  By  closely  aligning  yoi 
:  business  outcomes,  Accenture  Teehnc 
lelps  ensure  that  your  IT  investments  \ 
et,  while  contributing  to  high  perform 
could  see  it  as  the  light  at  the  end  of 
etter  still,  innovation  and  revenue  hui 
To  be  ready,  visit  aeeenture.com/teehnol 
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What's  Your  IP  WORTH? 

Define  the  value  of  corporate  data  to  prioritize  security 
investments 

You  may  think  you  know  which  pieces  of  your  company’s  intellectual  property 
are  most  valuable— and  therefore  most  vulnerable  to  intellectual  property  theft.  But 
you’re  probably  wrong. 

Even  at  Microsoft,  which  is  known  for  zealously  guarding  its  IP,  "one  of  the  hard 
things  to  do  is  to  get  business  leaders  to  articulate  what  pieces  of  information  are 
most  valuable  in  runningtheir  businesses,"  says  Jim  DuBois,  general  manager  of 
information  security  and  infrastructure  services  for  Microsoft  IT. 

To  capture  the  information  you  need  to  plan  IP  protection,  ask  questions,  says  Bill 
Boni,  Motorola’s  CISO.  You  might  start  by  inquiring  what  information  might  let  a  com¬ 
petitor  move  ahead  in  the  market  or  help  a  counterpart  in  a  foreign  company  achieve 
personal  gain.  A  good  business  intelligence  department  can  use  its  data  to  help. 

Once  you’ve  identified  your  company's  critical  IP,  which  controls  and  counter¬ 
measures  you  put  in  place  may  come  down  to  how  much  you  want  to  spend  defend¬ 
ing  certain  know-how.  Because  there's  little  accurate  data  available  on  the  costs 
of  IP  theft,  there  aren’t  any  concrete  cost-benefit  models  to  work  with.  Boni  uses 
Motorola’s  own  financial  predictions.  “You’ve  already  done  a  lot  of  financial  analy¬ 
sis  about  the  benefits  of  a  product  or  service,”  he  says.  “You  can  use  those  to  esti¬ 
mate  the  damage  if  that  IP  is  lost  or  stolen." 

The  cost-benefit  calculation  comes  down  to  the  probability  of  IP  theft  times 
its  consequences,  says  0.  Sami  Saydjari,  president  of  Cyber  Defense  Agency,  a 
security  consultancy.  “If  there’s  a  decent  probability  that  attacks  could  cost  you 
$500  million,  it  might  make  sense  to  invest  $5  million,”  Saydjari  says.  “Without 
that  expected  loss,  you  can’t  make  the  business  case.”  -S.O. 


include  hacked  or  hijacked  information 
that  goes  unnoticed  or  unreported.  The 
economic  costs  on  a  nationwide  scale  are 
impossible  to  quantify  just  yet. 

Suspected  state-sponsored  espionage 
against  the  U.S.  government  has  received 
the  most  publicity,  thanks  to  the  investiga¬ 
tion  of  a  series  of  coordinated  attacks  on 
federal  computers  dubbed  “Titan  Rain.” 
The  2003  attacks  may  have  been  the  work 
of  a  China-based  cyberespionage  ring  that 
was  trying  to  steal  government  informa¬ 
tion,  according  to  articles  published  in  The 
Washington  Post  and  Time  magazine  in 
2005.  But  companies  in  any  industry  may 
be  vulnerable.  As  businesses  increasingly 
collaborate  with  external  partners  and 
expand  globally,  they’re  also  increasing 
their  exposure  to  criminals— and  possibly 
foreign  governments— who  may  have  more 
on  their  minds  than  scoring  some  Social 
Security  numbers. 

“There’s  a  ceiling  on  how  much  money 
can  be  made  by  stealing  identities,”  says 
Scott  Borg,  director  and  chief  economist 
of  the  U.S.  Cyber  Consequences  Unit,  an 
independent  nonprofit  institute  set  up  at 
the  request  of  the  federal  government  to 
examine  the  economic  and  strategic  conse¬ 
quences  of  cyberattacks.  “You  can  actually 
steal  the  business— its  processes,  its  inter¬ 
nal  negotiating  memos,  its  merchandising 
plans,  all  the  information  it  uses  to  create 
value.  That’s  a  very  large  payoff.” 

Unfortunately,  most  IT  organizations 
approach  the  risk  to  IP  the  way  they 
approach  all  IT  security:  focusing  on  the 
corporate  perimeter  and  developing  secu¬ 
rity  tactics  and  policies  from  the  system 
level  up.  Instead,  CIOs  must  take  a  top- 
down  approach.  What’s  required  today  is  a 
counterintelligence  mind-set  that  assumes 
someone,  somewhere,  wants  your  data, 
along  with  multiple  layers  of  defense  to 
thwart  would-be  cyberspies  and  respond 
when  (not  if)  they  get  through  your 
defenses.  “There  are  wide-ranging  attacks 
against  commercial  organizations,”  says 
Bill  Boni,  CISO  of  Motorola.  “It’s  incumbent 
on  organizations— be  they  governments  or 
commercial  enterprises  or  academic  insti¬ 
tutions— to  understand  what  their  crown 
jewels  are  and  make  sure  they  are  pro¬ 
tected  commensurate  with  their  value.” 


The  Global  IP  Threat 
Landscape 

The  most  widely  known  cybercrimes  have 
to  do  with  the  theft  of  customer  informa¬ 
tion  and  credit  card  fraud.  (For  more  about 
fighting  financial  fraud,  read  “How  You 
Can  Fight  Cybercrime,”  at  www.cio.com/ 
article/117201.)  But  the  cost  of  lost  customer 
information  could  pale  in  comparison  to 
the  long-term  damage  done  when  a  hacker 
targets  a  company’s  critical  IP,  says  Borg. 

According  to  the  2006  Computer  Crime 
and  Security  Survey  by  the  FBI  and  the 
Computer  Security  Institute,  theft  of  pro¬ 
prietary  data  and  unauthorized  access 
to  information  are  among  the  four  most 
common  sources  of  loss  due  to  cyber¬ 
crime  (along  with  viruses  and  hardware 
theft).  Although  the  survey  did  not  report 
any  increase  in  losses  due  to  IP  theft,  the 
authors  note  such  costs  are  hard  to  mea¬ 
sure  accurately.  Security  experts  assume, 


however,  that  the  losses  are  significant. 

“We’ve  seen  a  big  shift  in  the  last  two 
years  to  more  sophisticated,  stealthy 
attacks,”  says  Gartner  VP  and  Security 
Research  Fellow  John  Pescatore.  Some¬ 
times,  he  says,  the  aim  is  purely  financial- 
hijack  some  data  and  get  the  company  to 
pay  you  to  return  it;  or  steal  a  customer  data¬ 
base  and  sell  the  personal  identification  to 
whoever  will  pay  for  it.  “Other  times,  it’s 
industrial  espionage.  And  as  people  started 
to  look  at  where  those  targeted  attacks 
were  coming  from,  they  found  they  were 
coming  from  all  over  the  world.”  Experts 
point  to  China,  Russia,  France  and  Israel 
as  big  players  in  this  black  market. 

CIOs  may  be  less  aware  of  the  threat 
to  IP  than  to  their  systems,  and  therefore 
less  prepared  to  protect  the  former.  “Com¬ 
panies  are  thinking  about  worms  and 
viruses,  things  that  will  not  have  very  bad 
consequences  and  have  always  been  wildly 
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exaggerated,”  says  Borg.  “Or  they’re  think¬ 
ing  about  ID  theft,  which  attracts  a  lot  of 
attention,  even  though  the  number  of  cases 
is  remarkably  low.” 

There’s  a  difference,  too,  in  the  systems 
an  intruder  looking  for  corporate  secrets 
may  target.  IP  thieves  “won’t  necessarily 
look  at  obvious  financially  sensitive  areas,” 
says  Borg,  thereby  escaping  detection. 
“They  may  be  looking  at  technical  data, 
controls  systems,  automation  software.” 
And  the  results  of  IP  theft  can  be  hard  to 
see— a  slow  degradation  of  one’s  competi¬ 
tive  position  in  the  market  may  easily  be 
attributed  to  other,  noncriminal  factors. 

Until  recently,  the  most  conclusive 
public  evidence  that  sustained  industrial 
espionage  has  taken  place  in  cyberspace 
has  come  from  the  military.  Titan  Rain 
was  “the  most  systematic  and  high-qual¬ 
ity  attack  we  have  seen,”  says  Ira  Winkler, 
author  of,  most  recently,  Zen  and  the  Art  of 
Information  Security.  Chinese  hackers  suc¬ 
cessfully  breached  hundreds  of  unclassi¬ 
fied  networks  within  the  Department  of 
Defense,  its  contractors  and  several  other 
federal  agencies.  One  Air  Force  general 
admitted  at  an  IT  conference  last  year  that 
China  had  downloaded  10  to  20  terabytes 
of  data  from  DoD  networks. 

But  it’s  not  just  high-profile  targets  that 
are  at  risk.  “The  intellectual  property  needed 
to  build  a  new  type  of  safety  restraint  for 
an  aircraft  is  just  as  important  as  anything 
else,”  says  Howard  A.  Schmidt,  former 
CISO  of  eBay  and  former  special  adviser  to 
the  president  for  cyberspace  security. 

IP  thieves  have  targeted  companies  as 
diverse  as  retailers  and  high-tech  manu¬ 
facturers.  In  incidents  nicknamed  “the 
Trojan  Affair,”  18  Israeli  executives  from 
several  companies  were  arrested  for  their 
involvement  in  an  international  computer 
espionage  conspiracy  that  targeted  com¬ 
petitive  information  from  rivals  includ¬ 
ing,  in  2005,  the  Israeli  divisions  of  Ace 
Hardware  and  Hewlett-Packard.  Also  in 
2005,  several  executives  from  the  software 
company  BusinessEngine  pleaded  guilty 
to  hacking  rival  Niku’s  systems  to  access 
its  trade  secrets. 

Nevertheless,  some  companies  are  more 
exposed  than  others  (see  “How  Vulner¬ 
able  Are  You?”  Page  42).  Large,  distributed 


organizations  provide  more  opportunities 
for  attackers  to  gain  access  to  corporate 
networks,  says  Alfred  Huger,  vice  presi¬ 
dent  of  engineering  for  Symantec  Security 
Response.  Historically,  the  biggest  risk  to 
IP  has  been  from  insiders.  A  few  years  ago, 
Motorola  detected  suspicious  unauthorized 
activity  on  its  network.  Boni’s  security  team 
traced  the  activity  to  an  employee  worksta¬ 
tion,  which  contained  a  directory  popu¬ 
lated  with  a  complete  hacker  toolkit.  Under 
questioning  by  investigators,  the  employee 
admitted  that  he’d  been  asked  by  a  competi¬ 
tor  to  hack  into  Motorola’s  systems  to  access 
sensitive  IP;  he  was  terminated. 

In  today’s  global  economy,  the  number 
of  insiders  within  any  organization  has 
increased  dramatically  if  you  count  exter¬ 
nal  partners  among  them.  “Organizations 


The  Counterintelligence 
Mind-Set 

As  hacking  has  grown  more  purposeful,  the 
traditional  IT  security  mind-set  has  failed  to 
keep  up.  “There’s  virtually  unlimited  infor¬ 
mation  to  protect  and  unlimited  supply  of 
threat  and  vulnerability,”  says  Motorola’s 
Boni.  And  there  are  no  easy  solutions.  “Risk 
management  oversight  over  distant  suppli¬ 
ers  is  an  emerging  art,”  Boni  says. 

The  vast  majority  of  IP  loss  incidents  are 
simple  errors:  posting  information  to  exter¬ 
nally  facing  websites  wrongly  assumed  to 
be  protected  or  including  confidential  infor¬ 
mation  in  a  reply  to  an  e-mail  that  includes 
external  recipients,  says  Boni.  The  most 
successful  hacks,  says  Bumgarner,  occur 
because  attackers  get  lucky,  stumbling 
across  a  vulnerability  while  scanning  thou- 


“If  eternal  vigilance  isthe  price  of 
freedom,  continuous  monitor¬ 
ing  and  preparation  to  respond 
quickly  is  the  cost  associated 
with  global  digital  commerce.” 

-Motorola  CISO  Bill  Boni 


now  have  to  deal  with  employees  connect¬ 
ing  from  home  offices,  the  local  Starbucks 
and  shady  hotels,”  says  John  Bumgarner, 
research  director  for  security  technology  at 
the  U.S.  Cyber  Consequences  Unit.  “They 
also  have  to  deal  with  business  partners  and 
customers  having  access  to  their  networks 
via  VPNs,  dial-up  connections  and  Web 
portals,  any  of  which  can  be  used  to  com¬ 
promise  the  organization’s  resources.” 

It  was  a  connection  to  these  externally 
based  insiders  that  got  Bailey,  at  the  govern¬ 
ment  contractor,  in  trouble.  “The  extranets 
pose  a  problem  because  many  of  them  are 
controlled  by  program  managers  for  the  ben¬ 
efit  of  the  customer,”  says  Bailey.  “And  that 
can  make  policy  enforcement  problematic.” 
But  the  focus  on  pleasing  the  customer  back¬ 
fired.  “There’s  nothing  worse  than  having 
to  call  up  your  customers  and  say,  Because 
of  our  negligence,  we’ve  compromised  your 
proprietary  information,”  Bailey  says. 


sands  of  IP  addresses.  But  the  most  danger¬ 
ous  attacks  are  deliberate. 

To  defend  against  targeted  attacks, 
Motorola  uses  traditional  controls  such  as 
firewalls,  intrusion  detection  tools,  anti¬ 
virus  software  and  digital  forensics— but 
with  a  difference.  “We’re  operating  our 
information  security  toolkit  with  a  coun¬ 
terintelligence  mind-set,”  says  Boni.  Like 
the  military,  Boni  assumes  there’s  an  enemy 
looking  for  an  advantage  and  it’s  his  job  to 
outwit  him.  “Putting  those  tools  together 
with  an  understanding  of  what  is  or  could 
be  of  greatest  interest  to  competitors  allows 
a  more  granular  focus  on  the  data,”  says 
Boni,  “not  just  on  the  network.” 

Boni  partners  closely  with  business 
units  to  attempt  to  forecast  the  risk  to  par¬ 
ticular  IP-related  information.  (For  more 
on  how  to  do  that,  see  “What’s  Your  IP 
Worth?”  Page  40.)  “Every  product  or  ser¬ 
vice  has  market  share  and  projected  finan- 
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How  VULNERABLE  Are  You? 

Distributed,  poorly  defended  organizations  face  the  most  risk 

If  your  intellectual  property  is  digital,  you’re  at  risk  for  online  IP  theft. 

But  there  are  varying  degrees  of  exposure.  "It  has  to  do  with  how  valuable  a 
target  you  present  and  how  well-defended  you  are,"  explains  0.  Sami  Saydjari, 
president  of  security  consultancy  Cyber  Defense  Agency. 

The  types  of  organizations  that  currently  face  the  highest  risk  include: 

►  Large,  globally  distributed  organizations 

►  Small  to  midsize  businesses  in  niche  markets 

►  Companies  with  foreign  partners  or  that  sell  directly  in  foreign  markets 

►  Organizations  with  decentralized  IT 

►  Military  or  government  organizations  that  rely  heavily  on  contractors  and 
suppliers 

►  Industries  like  telecommunications  that  supply  critical  national  infrastructure 

►  Organizations  lacking  executive  sponsorship  of  security  issues,  technical 
enforcement  of  security  policies,  adequate  security  monitoring  or  process/ 
preparedness  for  dealing  with  security  breaches 

External  partners,  locally  and  globally,  are  a  major  source  of  risk.  “You  can 
spend  millions  on  your  own  defenses,”  says  John  Bumgarner,  research  director 
for  security  technology  at  the  U.S.  Cyber  Consequences  Unit.  But  attackers  may 
find  a  way  in  through  weak  spots  in  the  systems  of  customers  or  suppliers.  As 
intruders’  sophistication  increases,  however,  all  organizations  may  face  similar 
vulnerabilities.  "With  new  hacking  methods,  if  the  information  is  not  encrypted 
and  it  is  very  valuable,  it’s  at  high  risk,”  says  Alan  Paller,  research  director  for  the 
SANS  Institute.  -S.O. 


cials.  We  try  to  understand  what  pieces  of 
information  are  the  key  contributors  to 
that  product  or  service  and  whether  they 
are  at  risk  to  targeted  attacks.” 

More  companies  need  to  adopt  this  more 
nuanced  approach,  agrees  O.  Sami  Saydjari, 
president  of  Cyber  Defense  Agency,  a  secu¬ 
rity  consultancy.  “They’ll  hire  white-hat 
hackers— doorknob  turners  who  shake  all 
your  doors  and  tell  you  where  they  got  in,” 
Saydjari  says.  “And  the  company  will  try  to 
figure  out  where  to  close  those  vulnerabili¬ 
ties.  That’s  primitive  analysis.”  When  Bailey, 
the  government  contractor,  conducted  pen¬ 
etration  testing  of  his  internal  systems,  the 
white  hats  delivered  a  five-inch-thick  report 
of  vulnerabilities.  Bailey  says  he  closed  every 
hole,  but  he  ignored  the  extranet.  Nor  did  he 
have  a  comprehensive  program  for  updating 
systems  and  installing  patches.  “The  lessons 
learned  from  the  exploit  were  not  uniformly 
applied  across  the  business,”  says  Bailey. 
“That  was  my  mistake.” 

While  monitoring  and  patching  of  sys¬ 
tems  is  essential  to  any  security  strategy, 
many  CIOs  and  IT  security  professionals 
approach  the  task  backward,  says  Schmidt. 
“The  discussion  always  seems  to  be,  Tell 
me  where  the  threat  is  and  I’ll  secure  that 
system,”  Schmidt  says.  “You  need  to  test 
systems  for  vulnerabilities  before  deploying, 
have  a  plan  in  place  to  patch  them,  and  audit 
to  see  who’s  doing  what  and  where  data  is.” 

Turning  the  traditional  approach  to 
security  on  its  head  can  help  IT  organiza¬ 
tions  prioritize  spending  to  protect  critical 
IP.  “You  need  to  look  at  the  mission  of  the 
organization  from  the  top  down  as  opposed 
to  the  bottom  up,”  Saydjari  explains. 

Defense  in  Depth 

Without  a  clear  idea  about  which  IP  assets 
most  need  protecting,  CIOs  may  put  their 
security  dollars  in  the  wrong  places.  “Most 
large  organizations  have  all  done  basic 
blocking  and  tackling— firewalls,  antivirus 
products,  et  cetera,”  says  Amit  Yoran,  CEO 
of  network  forensics  company  NetWitness 
and  former  director  of  the  Department  of 
Homeland  Security’s  National  Cyber  Secu¬ 
rity  Division.  But  as  with  cybercrime  gen¬ 
erally,  perimeter  defense  goes  only  so  far. 
Companies  need  a  cyberdefense  strategy 
that  is  multilayered  with  different  types 


of  protection  at  each  layer. 

One  strategy,  called  “defense  in  depth,” 
derives  from  the  military  technique  for 
slowing  down  rather  than  trying  to  stop  the 
advance  of  an  adversary.  The  model  applies 
when  the  question  is  not  if,  but  when,  hack¬ 
ers  will  break  in.  “If  you  reinforce  one  area, 
[attackers]  will  look  to  another,”  says  James 
Lewis,  director  and  senior  fellow  with  the 
Center  for  Strategic  and  International  Stud¬ 
ies.  “The  job  is  to  reduce  the  chance  that 
they’ll  be  able  to  get  in.” 

On  the  network,  defense  in  depth  means 
traditional  perimeter  security  is  supple¬ 
mented  with  advanced  intrusion  detection 
systems,  segmented  networks  with  tighter 
security  around  some  information,  demili¬ 
tarized  zones  for  public  data  and  security 
audits.  But  a  good  defense-in-depth  strat¬ 
egy  takes  its  multilayered  approach  to  peo¬ 
ple,  processes  and  technology  as  well. 

The  approach  enables  IT  security  teams 
to  get  beyond  dealing  with  hackers  as  if 


playing  a  game  of  whack-a-mole  and  treat 
the  problem  more  like  a  chess  game,  says 
Jim  DuBois,  general  manager  of  informa¬ 
tion  security  and  infrastructure  services 
security  for  Microsoft.  DuBois  has  worked 
at  Microsoft  for  14  years  and  lived  through 
a  public  incident  in  2000  when  hackers, 
who  The  Wall  Street  Journal  reported  were 
traced  to  Russia,  allegedly  accessed  some 
of  Microsoft’s  key  applications  and  source 
code.  (DuBois  was  not  part  of  the  security 
group  at  the  time.  A  Microsoft  spokesperson 
argues  that  the  incident  was  not  portrayed 
accurately  in  the  media,  but  that  it  rein¬ 
forced  the  importance  of  security  controls 
and  helped  drive  adoption  of  several  proj¬ 
ects,  including  smart  cards  for  remote  access 
and  a  public  key  infrastructure— which 
allows  for  the  secure  and  private  exchange 
of  data  in  unsecure  environments.) 

“The  thought  process  is  no  longer  mak¬ 
ing  sure  nothing  bad  ever  happens,”  says 
DuBois.  “There  may  be  a  bug  in  the  Cisco 
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Solaris™  is  open  source  and  free. 

It  runs  on  IBM,  HP  (and  Sun,  too.) 

With  Solaris; you  can  do  a  lot  more.  Add  reliability  and  data  integrity  to 
your  databases.  Confidently  deploy  a  secure,  scalable  Web  infrastructure. 
Plus,  you  can  run  Solaris  on  over  880  x86  Platforms  and  still  benefit  from 
Sun's  24/7  world-class  support. 
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code  or  someone  might  misconfigure  a 
device.  If  [attackers]  get  at  that  chess  piece 
we  left  unprotected,  what  will  we  do?” 
Microsoft  has  moved  toward  host-based 
controls,  meaning  they  protect  the  data  on 
a  device  or  a  network.  “You  have  to  protect 
everything,  not  just  important  data.  Con¬ 
trols  are  more  onerous  than  they  need  to 
be,”  says  DuBois.  He  wants  to  get  more 
granular.  His  goal  is  to  secure  the  data 
itself,  not  the  hardware  or  applications  in 
which  it  resides,  with  next-generation  digi¬ 
tal  rights  management  tools. 

Classifying  Information 

Over  the  years,  Microsoft  has  sought  to 
increase  protection  of  its  source  code.  But 
sometimes  it  has  done  too  much.  “We  found 
a  lot  of  places  where  we  had  too  many  con¬ 
trols  around  code  we’ll  actually  give  away 
for  free  on  TechNet,”  says  DuBois. 

The  right  level  of  protection  can  be 
difficult  to  pinpoint,  however.  Too  often 
organizations  apply  the  same  standards  of 
security  for  everything.  That  leaves  some 
less  valuable  data  overprotected  and  some 
more  critical  IP  relatively  exposed.  Not  only 
that,  says  Borg,  but  when  CIOs  think  about 
what  to  defend  first,  they’ll  often  think  of 
the  company’s  most-critical  systems,  like 
ERP  or  customer  databases.  However,  he 
adds,  “that’s  usually  not  where  the  liabili¬ 
ties  are  created,  because  that’s  not  where 
the  company  creates  the  most  value.” 

Motorola  has  developed  what  it  calls 
an  enablement  zone  environment,  which 
segments  the  network,  allowing  groups 
of  systems  and  applications  to  share  a  set 
of  targeted  security  controls.  In  this  way, 
security  controls  are  aligned  with  the  risk 
to  the  information  the  systems  contain,  as 
well  as  with  relevant  regulations  or  con¬ 
tractual  terms.  The  most  intrusive  secu¬ 
rity  solutions— including  digital  rights 
management,  virtualization  of  content  (to 
prevent  its  propagation  outside  the  con¬ 
trolled  environment)  and  role-based  iden¬ 
tity  management— “are  only  warranted  on 
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breakthroughs,”  Boni  says.  He  advocates 
revisiting  the  classifications  often.  “If  eter¬ 
nal  vigilance  is  the  price  of  freedom,”  says 
Boni,  paraphrasing  Thomas  Jefferson, 
“continuous  monitoring  and  preparation 
to  respond  quickly  is  the  cost  associated 
with  global  digital  commerce.” 

Your  Incident 
Response  Plan 

Another  layer  of  defense  in  depth  is  being 
prepared  when  intruders  strike.  “The  IT 
model  for  dealing  with  a  disruption  is  to 
get  that  server  back  online  as  fast  as  pos¬ 
sible,”  says  Boni.  But  before  that  happens, 
he  adds,  ask  yourself  how  important  the 
contents  of  the  system  are,  whether  intrud¬ 
ers  saw  any  critical  data  and  whether  the 
attack  might  be  meant  to  distract  you  from 
the  real  target. 

Boni  does  a  first-level  analysis.  If  triage 
determines  that  the  incident  could  have  a 
high  impact,  or  if  it  appears  deliberate,  it 
may  warrant  a  more  significant  response 
than  the  vast  majority  of  intrusions  that 
can  be  addressed  through  analysis  of  log 
files  and  systems  profiling  (for  instance, 
he  may  call  law  enforcement,  and  secure 
affected  systems  and  servers  for  evidence). 
“Prudent  incident  response  means  plan¬ 
ning  ahead,”  says  Yoran  of  NetWitness. 
“People  need  to  know  how  to  receive  and 
interpret  various  clues  and  deduce  [what] 
may  have  occurred  or  may  be  occurring.” 

Communication  is  also  critical.  “Incident 
response  is  still  very  siloed  and  technology 
focused,”  says  Khalid  Kark,  a  senior  ana¬ 
lyst  with  Forrester  Research.  For  serious 
breaches,  Boni  brings  in  a  cross-functional 
team  that  includes,  among  others,  crisis 
managers,  internal  auditors,  lawyers  and 
HR  to  assess  the  incident  and  determine 
who  needs  to  be  involved  in  the  response. 
Yoran  suggests  interacting  with  public 
relations  advisers,  user  communities  and 
vendors,  where  necessary. 

When  the  problem  is  global,  the  chal¬ 
lenge  escalates.  “It  may  require  interface 
with  the  local  or  regional  staff,  [which], 
given  language,  time  zones  and  differences 
in  operating  practices,  may  be  more  diffi¬ 
cult  to  coordinate,  even  inside  an  organi¬ 
zation,”  says  Boni.  “Establishing  working 
relationships  with  federal  law  enforce- 


Large, 
distributed 
organizations 
provide  more 
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for  attackers 
to  access 
corporate 
networks. 

ment  ahead  of  time  also  helps,”  says  Yoran. 
“They  regularly  work  these  issues  with 
foreign  parties.” 

When  it’s  time  to  pick  up  the  pieces,  Alan 
Paller,  research  director  with  the  SANS 
Institute,  pushes  for  root-cause  analysis  to 
determine  which  exploits  the  hacker  used 
and  what  can  be  learned  from  that.  That’s 
what  Bailey,  the  government  contractor, 
did  once  he  discovered  his  problem.  After 
contacting  law  enforcement,  making  a  full 
disclosure  to  affected  customers  and  part¬ 
ners,  and  completing  a  forensic  analysis, 
he  moved  to  cover  the  holes  in  his  data 
protection  strategy.  These  included  better 
procedures  for  installing  patches.  He  also 
recruited  a  manager  of  information  security, 
expanded  her  department  and  set  up  a  com¬ 
puter  incident  response  team.  Among  its 
activities,  the  team  lurks  on  hacker  boards 
to  keep  up  with  the  latest  exploits  and  con¬ 
ducts  intrusion  detection  exercises. 

Today,  most  important,  Bailey  fully 
appreciates  the  risks.  That’s  the  key  for 
CIOs  who  must  manage  the  growing  threat 
to  corporate  knowledge,  says  Borg:  “Simply 
appreciating]  the  stakes. 

“There’s  some  very  sophisticated  hacking 
taking  place— some  of  it  state-sponsored— 
and  they’re  going  after  IP,”  says  Bailey.  “We 
can  never  be  100  percent  secure,  but  we’ve 
redoubled  our  efforts.  It  taught  us  a  big 
lesson.”  BE! 


Contact  Senior  Editor  Stephanie  Overby  at 
soverby@cio.com.  Send  feedback  to  letters@ 
cio.com. 
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California  high¬ 
way  revealed  its 
weaknesses 


fhis  past  February  2,  at  5:15  p.m.,  Alan  Boehme,  47,  VP 
and  CIO  of  Juniper  Networks,  left  his  office  and  climbed 
s  into  his  black  2004  Infiniti  G-35.  He  pulled  out  of  the 
company  parking  lot  and  began  the  90-minute  drive  to 
his  home  in  Half  Moon  Bay,  a  coastal  town  in  Northern  Califor¬ 
nia’s  San  Mateo  County.  Boehme’s  work  had  been  going  well.  In 
December,  he  had  completed  an  ambitious  restructuring  of  the 
$2.5  billion  networking  company’s  IT  infrastructure,  globalizing 
its  operations  and  laying  the  foundation  for  its  future  growth. 

Boehme  took  California  Highway  280  to  Highway  92,  a  two-lane  road  about  10 
minutes  from  his  house.  A  few  seconds  later,  a  drunk  driver  in  Boehme’s  lane  hit 
him  head-on. 

“The  person  in  front  of  me  swerved  off  the  road  because  he  saw  the  guy  coming,” 
Boehme  recalls.  “The  next  thing  you  know,  these  headlights  were  coming  straight  at 
me.  We  hit  headlight  to  headlight.  I  remember  thinking,  my  wife  and  son  are  going 
to  lose  their  husband  and  father.” 

They  didn’t.  But  the  aftermath  was  ugly. 

“I  felt  blood  just  gushing  down  my  face  and  I  was  in  a 
state  of  panic  and  shock,”  says  Boehme.  “Somehow,  I  was 
able  to  get  the  seat  belt  off,  kick  the  door  open.  I  got  out  of 
the  car  and  just  started  yelling,  ‘Help  me,  help  me.’” 

A  person  who  witnessed  the  crash  helped  Boehme  to 
the  side  of  the  road.  An  artery  in  his  nose  had  been  sev¬ 
ered,  and  he  was  bleeding  profusely.  “I  had  broken  bones 
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WHITE  PAPER  EXECUTIVE  SUMMARY 


Get  in  Front  of  Change 


Remote  Client  Solutions  Like  PC  Blades 
Help  CIOs  Derive  New  Business  Value 


PC  Blade 
Business  Benefits 

>  Improved  data  security 

>  Better  business  continuity 
and  availability 

>  Better  TCO 

>  Secure  remote  access 
to  personal  files  and 
corporate  resources 
from  anywhere  with 
network  connectivity  at 
any  network  speed.  The 
destruction  or  quarantine 
of  an  office  or  a  data 
center  does  not  stop  end 
users. 


In  today's  competitive,  fast-paced  market,  CIOs  are  pressured  to: 

>  Enhance  the  security  of  intellectual  property  and  corporate  data 

>  Reduce  risk  and  provide  business  continuity  for  PC  users 

>  Lower  total  cost  of  ownership,  including  PC  support  costs 

>  Enable  remote  access  for  PC  users,  including  offshore  and  home-based 
workers 

Read  this  white  paper  to  learn  strategies  to  address  these  challenges  with 
HP's  PC  Blade  solution.  Drawing  on  executive  insight  and  customer  case 
studies,  this  piece  shows  how  forward-thinking  CIOs  can  effectively  tackle 
these  daunting  and  seemingly  insurmountable 
challenges  with  the  solution — and  how  to  build  a 
business  case  to  get  in  front  of  change. 

Learn  more  about  HP's  innovative  approach, 
a  blade  PC-based  solution  that  shifts  desktop 
computer  and  storage  resources  to  the  data  center 
or  another  central  location.  Using  an  AMD  Athlon 
64  CPU,  the  HP  blade  PC  be  2500  is  a  proven 
choice  for  PC  users,  with  an  architecture  that 
capitalizes  on  the  manageability,  security  and  cost 
savings  of  a  centralized  computing  environment. 

While  offering  a  consistent,  predictable  end-user 
experience,  PC  Blades  deliver  critical  enterprise 
business  value  for  data  security,  business  continuity  and  availability,  simplified 
deployment  and  total  cost  of  ownership  (TCO),  and  remote  access  to  meet 
business  and  end-user  requirements. 


How  to  Get  in  Front  of  Change 


"Best  practice"  case  studies  show  how  global  HP  customers  have  successfully 
implemented  PC  Blades  to  drive  business  value,  enhance  customer  satisfaction 
and  deliver  bottom-line  results.  PC  Blades  have  helped  banking,  health  care 
and  utility  companies  address  a  myriad  of  business  technology  issues: 


invent 


ADVERTISEMENT 


Making  the  Business  Case 

This  white  paper  provides  the  critical  insights  you  need 
to  get  started  with  PC  Blades,  including  the  key  steps  to 
building  a  successful  business  case.  Learn  how  HP  can 
work  with  you  to  develop  a  PC  Blade  implementation 
personalized  to  your  specific  requirements  and  environment. 
Also  learn  how  HP  Services  and  authorized  partners  are 
uniquely  equipped  to  help  you  plan,  deploy,  manage  and 
support  your  PC  Blade  solution  with  a  broad  array  of  services 
and  training. 

A  Success  Story:  Suruga  Bank 

Suruga  Bank,  the  first  bank  in  Japan  to  introduce  both  a 
customer  relationship  management  (CRM)  system  and  online 
banking,  has  two  key  objectives:  to  become  a  "Life  and 
Business  Concierge"  by  providing  excellent  customer  service, 
and  to  be  "Japan's  Most  Secure  Bank."  Toward  those  ends, 
Suruga  has  implemented  various  security  enhancements 
while  reviewing  its  CRM  infrastructure  in  its  efforts  to  comply 
with  Japan's  Private  Information  Protection  Law.  It  also 
implemented  HP  Compaq  thin  clients  with  PC  Blades  to 
protect  customer  data  and  deliver  better  customer  service. 

"There  was  a  need  to  protect  customers'  assets  with 
thorough  measures  against  information  leakage,"  says 
Hiroshi  Yoshino,  system  consultant  with  Suruga  Bank's 
internal  audit  department.  "Since  branch  employees 
regularly  use  the  CRM  system  to  handle  customer  data,  the 
creation  of  a  server-based  computing  environment  in  which 
data  could  not  be  stored  on  the  client  PC  was  considered." 
To  minimize  the  risk  of  data  theft  and  loss  as  well  as  virus 
attacks,  Suruga  replaced  1,200  CRM  terminals  across  its  120 
branches  with  HP  Compaq  t57 1 0  thin  clients.  The  thin-client 
environment  provides  users  secure  access  to  the  bank's  CRM 
system  and  other  applications.  In  addition,  the  t57 1 0  thin 
clients  and  PC  Blades  have  helped  Suruga  Bank  lower  its 
TCO  and  improve  fault  tolerance.  Previously,  client  PCs  that 
broke  down  had  to  be  repaired  in  a  remote  environment 
and  transported  via  in-company  mail  at  the  rate  of  20  to 
30  machines  per  month,  resulting  in  logistical  problems.  In 
contrast,  HP  PC  Blades  ship  with  a  number  of  fault-reporting 
features  as  well  as  Rapid  Deployment  Pack  (RDP),  which  can 
automatically  reinstall  the  operating  system  and  application 
image  files  onto  the  blade  PC,  reducing  hardware  downtime 
and  maintenance  hours. 


Building  the  Business  Case 

To  build  a  PC  Blade  business  case,  consider 

these  first  steps. 

1.  Determine  your  goals — protecting  end- 
user  data,  lowering  costs,  etc. — then 
create  your  plan  accordingly,  with  the 
necessary  benchmarks  and  metrics. 

2.  Define  the  key  objectives  by  identifying 
the  target  workgroup  and  establishing  an 
implementation  schedule.  These  choices 
will  drive  design  decisions. 

3.  Ensure  you  have  a  business  champion 
who  is  committed  to  your  project's 
success.  Changing  your  computing 
model  won't  happen  without  this 
necessary  leadership  and  effort.  Once 
you've  taken  these  steps,  you  can 
build — and  sell — a  successful  business 
case.  HP  can  work  with  you  to  develop  a 
PC  Blade  implementation  personalized 
to  your  specific  requirements  and 
environment. 


HP  Helps  Customers  Get 
in  Front  of  Change 

HP  Services  and  PC  Blade  authorized 
partners  are  uniquely  equipped  to  help 
customers  plan,  deploy,  manage  and 
support  a  custom  solution  that  delivers 
all  the  benefits  of  this  innovative  client 
computing  approach — both  on  the  desktop 
and  in  the  data  center.  Support  spans  the 
PC  Blade  life  cycle. 

Services  include: 

>  Evaluation  of  your  enterprise's  readiness 
for  blade  PCs 

>  Custom  designs  to  get  started 

>  Deployment  assistance 

>  HP's  Factory  Express  to  rack  and  cable 
the  hardware  and  pre-install  software 

>  Three  types  of  training  to  ensure  success 


Implementing  HP  solutions  has  allowed  Suruga  Bank  to 
enjoy  simplified  management  of  desktop  infrastructure  and 
increased  agility  while  offering  employees  the  same  user 
experience  as  a  traditional  desktop  environment. 


To  download  the  full  text  of  this 
white  paper,  please  go  to 
www.cio.com/whitepapers/hp-cci 


Business  Continuity 


in  my  face,  and  my  nose  was  turned  sideways  and  crushed,”  he 
says.  “I  ended  up  with  a  contusion  of  the  skull  and  a  fracture  at  the 
base  of  the  skull,  along  with,  we  found  out  later,  a  series  of  injuries 
to  the  left  side  of  my  body,  including  my  knee,  where  there  were 
torn  ligaments  and  a  crushed  kneecap,  as  well  as  a  broken  finger 
and  torn  muscles  in  the  shoulder  from  the  seat  belt.” 

Boehme  lay  on  the  side  of  the  road  as  EMTs  attended  to  the 
drunk  driver,  believing  his  stomach  wound  was  more  life-threat¬ 
ening  than  Boehme’s  injuries.  “I  was  very 
upset  that  here’s  this  person  who  for  all  I 
knew  had  ended  my  life,  and  at  minimum 
had  dramatically  impacted  my  life,  and 
they’re  rushing  to  save  him,”  he  recalls. 

Feeling  cold  and  abandoned,  Boehme 
asked  the  man  who  had  stopped  to  grab 
his  BlackBerry.  He  called  his  wife,  Alisa, 
who  arrived  20  minutes  later  with  their  11- 
year-old  son,  David.  They  found  Boehme 
lying  on  the  roadside,  still  waiting  to  be 
taken  to  the  hospital. 

Later  that  night,  at  Stanford  Medi¬ 
cal  Center,  doctors  monitored  what  they 
believed  was  a  fluid  leak  in  Boehme’s 
brain.  They  stitched  up  his  face  and  put 
IVs  in  both  arms.  Boehme  drifted  off  as 
the  painkillers  did  their  work.  He  awoke 
Saturday  morning  to  find  his  BlackBerry 
by  his  side. 

“I  don’t  know  if  my  wife  picked  it  up  or 
if  they  put  it  on  my  person,”  says  Boehme, 

“but  I  e-mailed  Danny  Moquin  [his  VP  of 
IT  operations  and  infrastructure]:  ‘Been 
in  a  car  accident.  You  need  to  take  over.’” 

The  Importance  of 
Succession  Planning 

What  happens  when  a  key  player  in  a 
company  goes  down?  Who  takes  over? 

What  effect  will  replacing  an  individual 
have  on  operations?  While  most  busi¬ 
nesses  have  org  charts  that  map  out  what 
to  do  after  disruptions— whether  they’re 
caused  by  resignation,  firing,  retirement, 
sickness,  injury  or  death— these  are  often 
crude  in  format  and  live  in  dusty  filing 
cabinets  in  HR.  And  because  succession 
planning  often  falls  under  the  category  of 
business  continuity  and  disaster  recovery,  it  frequently  receives 
less  attention  than  does  preparing  for  sexier  events  such  as  hur¬ 
ricanes,  earthquakes  and  terrorist  attacks,  even  though  these  are 
far  less  likely  to  occur  than,  for  example,  a  car  accident. 

Planning  for  major  catastrophes  also  emphasizes  information 
systems  and  the  proprietary  data  within  them  and  all  too  often 
gives  short  shrift  to  the  people  who  manage  it  all. 


“The  old  question  is,  What  if  someone  gets  hit  by  a  bus?’  Well, 
we  know  the  answer  to  that  now,”  says  Moquin,  who  took  over  for 
Boehme  during  his  two-and-a-half-month  convalescence. 

Companies  often  lack  succession  plans  that  reach  beyond  their 
C-level  officers  and  their  direct  reports.  In  a  report  by  Aberdeen 
Research,  82  percent  of  the  companies  surveyed  claimed  to  have  a 
succession  plan  for  their  executives,  while  only  17  percent  did  for 
lower-level  workers  and  just  12  percent  for  their  IT  staff.  This  leaves 

less-visible  (and  often  younger)  employees 
stepping  into  managerial  roles  after  a  dis¬ 
turbance  in  the  head  ranks,  often  without 
sufficient  training  or  preparation. 

“Ideally,  it  starts  with  the  C-level  and  the 
direct  reports,  but  it  can’t  just  stop  at  the 
management  level,”  says  Sam  Bright,  an 
analyst  at  Forrester  Research.  “There  are 
key  people  on  the  technical  side  that  if  the 
company  were  to  lose  them,  it  would  have 
a  huge  impact  on  performance.” 

Today,  after  the  collision  on  Highway 
92,  Boehme  and  his  staff  know  that  no 
matter  an  organization’s  size  or  how  solid 
and  well  thought  out  its  processes,  indi¬ 
viduals  matter. 

“Obviously,  a  well-run  corporation  isn’t 
about  a  single  leader,”  says  Boehme.  “But 
still,  what  are  those  unsaid  things  that  a 
person  does  or  that  a  person  contributes  to 
that  are  not  in  the  process?  Those  are  the 
hard  things  to  measure,  and  those  are  the 
hard  things  to  plan  for.” 

The  Pre-Crash  Plan 

In  the  year  leading  up  to  his  crash,  suc¬ 
cession  planning  had  come  up  in  conver¬ 
sations  Boehme  had  had  with  his  direct 
reports.  They  had  a  plan  laid  out  on  spread¬ 
sheets.  The  document,  which  resembled  a 
standard  org  chart,  lived  in  HR.  It  covered 
Juniper’s  C-level  officers,  IT  executive  team, 
and  their  direct  reports— and  not  much 
else.  This  type  of  succession  plan  is  typical 
in  the  majority  of  America’s  top  companies, 
62  percent  of  which  use  the  same  method, 
according  to  the  Aberdeen  survey.  While 
Juniper’s  HR  stored  resumes  on  its  system 
as  well,  Boehme  says,  “you  couldn’t  just 
press  a  button  to  get  what  you  need.” 

The  reason  Juniper’s  plan  went  no  further  was  not  laziness;  it 
was,  says  Boehme,  time  pressure.  During  his  first  year  and  a  half 
as  CIO,  Boehme  restructured  Juniper’s  operations  and  infrastruc¬ 
tures  in  Asia,  Europe  and  the  United  States— each  with  its  own 
networks  and  systems— and  put  them  all  under  one  umbrella. 
This  was  not  just  about  technology  for  Boehme;  it  was  a  manage- 


Your 

Succession 

Toolbox 

Get  help  capturing  employee 
skill  sets  and  experience 

A  2006  report  by  Aberdeen  Research 
notes  that  62  percent  of  companies 
operate  their  succession  planning  in  a 
paper-based,  spreadsheet  format.  Prior 
to  VP  and  CIO  Alan  Boehme's  car  crash, 
Juniper  Networks  largely  worked  on  that 
model.  Now,  Boehme  says  he  hopes  to 
implement  an  HR  solution  from  Oracle’s 
PeopleSoft  that  will  help  capture  more 
employee  data.  Other  companies  might 
consider  similar  systems  when  forming 
a  comprehensive  plan,  but  Kevin  Martin, 
an  Aberdeen  analyst,  notes  that  there 
are  very  few  vendors  dedicated  solely  to 
developing  software  for  succession  plan¬ 
ning.  However,  here’s  a  list  of  ERP  and 
human  capital  management  software  that 
he  says  could  help. 

ERP  Solutions 

•  Infor 

•  Oracle  (PeopleSoft) 

Human  Capital  Management  Solutions 

•  Meta4 

•  Sapien 

•  SilkRoad  Technology 

•  Softscape 

•  SuccessFactors 
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rial  challenge.  The  direct  reports  he  inherited  after 
he  came  on  board  in  2005  were,  he  says,  lukewarm 
about  the  integration. 

“Change  is  difficult,”  Boehme  says.  “Some  people 
self-selected  themselves  out  of  the  organization.  I 
literally  replaced  the  entire  leadership  team  of  the 
IT  organization,  all  of  my  direct  reports,  with  the 
exception  of  one.” 

As  Boehme’s  300  or  so  IT  employees  and  con¬ 
tractors  adapted  to  a  lot  of  change,  it  was  hard 
for  him  to  focus  on  a  formal  succession  plan,  at 
least  until  he  conceptualized  their  new  roles  and 
established  a  new  chain  of  command.  “Because  we’d  just  gotten 
through  the  restructuring,  we’d  just  started  to  move  to  standard¬ 
izing  the  job  ladders,”  he  says.  “We’d  done  some  of  the  work,  but 
[at  the  time  of  the  car  crash]  it  was  basically  a  work  in  progress.” 

Since  his  return,  Boehme  has  made  installing  Oracle’s  People- 
Soft  software,  which  logs  employee  data  for  succession  planning, 
a  high  priority.  However,  he  says  he  won’t  implement  it  until  Juni¬ 
per  has  collected  sufficient  information  about  his  employees’  skill 
sets  and  work  histories.  Experts  say  that’s  wise.  An  automated 
solution  of  this  type  is  only  as  good  as  the  information  put  into  it. 
A  lot  of  companies  don’t  have  enough  information  about  the  skill 
sets,  leadership  skills  and  experience  levels  of  their  employees  to 
warrant  spending  on  an  automated  system,  notes  Kevin  Martin, 
research  director  of  human  capital  management  and  analyst  at 
Aberdeen.  “The  primary  reason  that  companies  are  still  paper- 
based  is  that  they  don’t  have  the  succession  planning  process 
nailed  down  yet,”  he  says. 

The  Ripple  Effect 

In  Moquin,  Boehme  had  the  benefit  of  a  fairly  obvious  replacement 
while  he  was  recovering.  As  a  friend  and  colleague  (they  worked 
together  at  GE  Energy,  a  $20  billion  division  of  the  company  that 
Boehme  worked  for  from  1999  to  2003),  Moquin  was  put  in  charge 
of  Juniper’s  IT  operations  and  infrastructure  when  he  was  hired  by 
Boehme  in  June  2006.  “It  was  pretty  clear  that  Danny  was  going 
to  be  the  person  we  went  to,”  says  Bill  Skeet,  director  of  IT  com¬ 
munications  and  Web  technology,  one  of  Boehme’s  direct  reports. 
“Sometimes,  it’s  just  enough  to  know  that  when  someone  is  absent, 
there  is  a  ‘Number  One’  that  fills  in,  taking  the  Star  Trek  analogy.” 

Approval  processes  were  shifted  to  Moquin,  who  began  sitting  in 
on  the  senior  leadership  meetings  that  Boehme  normally  attended. 
Almost  immediately,  however,  Moquin  noticed  something  obvious 
but  inescapable:  His  old  work  didn’t  suddenly  go  away. 

“The  eye  opener  was  that  as  I  started  taking  on  Alan’s  responsi¬ 
bilities,  especially  his  strategic  ones,  I  had  to  look  to  my  team  and 
start  delegating  both  some  of  Alan’s  work  and 
some  of  my  own,”  he  says. 

The  consequences  rippled  through  the  entire 
IT  department.  And  as  work  was  passed  down 
the  chain  of  command,  it  became  clear  that  sim¬ 
ple  delegation  had  its  difficulties.  For  instance, 
one  IT  lieutenant,  Brian  Nichols,  senior  direc- 


◄  Juniper  Networks 
CIO  Alan  Boehme's 
2004  Infiniti  G-35 
after  the  crash.  He 
now  drives  a  2005 
BMW  X5,  “the  heavi¬ 
est  SUV  I  could  find 
short  of  getting  a 
Chevy  Suburban." 


Five  Best  Practices 


Business  continuity  is  a  key  part  of  the 
CIO's  responsibilities.  For  five  tips  on 
how  to  construct  a  robust  plan,  go  to 

www.cio.com/article/12576. 


tor  of  business  pro¬ 
gram  management,  was 
charged  with  overseeing 
an  upgrade  to  a  business 
process  management 
software  project  that  had 

hit  some  snags  in  Boehme’s  absence.  But  because  some  of  Boehme’s 
responsibilities  had  trickled  down  to  him,  Nichols  found  himself 
with  an  overflowing  plate.  Although  it  would  have  been  desirable 
for  him  to  pass  the  BPM  project  on  to  one  of  his  reports,  he  didn’t 
feel  that  any  of  them  had  sufficient  management  expertise  to  handle 
it  on  their  own.  “I  had  to  step  in  when  I  would  have  liked  to  have 
delegated,”  Nichols  recalled. 

Nichols  now  says  he  recognizes  the  importance  of  giving  his 
direct  reports  the  same  type  of  leadership  training  that  he,  Moquin 
and  other  director-level  reports  have  received.  Analysts  say  this  is 
especially  vital  in  a  field  like  IT,  where  technical  workers  usually 
have  the  requisite  skills  to  do  the  job  but  often  lack  the  necessary 
managerial  expertise. 

“You  need  to  encourage  employee  development  beneath  the 
managerial  ranks,”  says  Forrester’s  Bright.  “When  attrition  occurs, 
you  can’t  take  the  time  to  catch  people  up  when  you  have  a  gaping 
hole  to  fill.” 

Boehme  says  that  before  the  accident,  Moquin  was  in  the  pro¬ 
cess  of  laying  out  a  training  program  for  managers  and  people 
who  aspired  to  be  managers,  but  “we  had  been  somewhere 
between  the  beginning  and  mid-stages  of  laying  it  out.”  He  adds 
they  plan  to  continue  with  the  program  in  the  future  to  develop  a 
deeper  bench.  “You  need  it  from  the  bottom  up  as  well,”  he  says. 

Clout  That's  Hard  to  Replace 

Moquin  says  the  momentum  Boehme  had  established  kept  things 
moving  forward  after  the  crash.  “Having  everyone  within  the 
organization  focused  on  the  same  goal  made  it  easier  to  carry  on,” 
he  says.  “There  weren’t  a  bunch  of  different  agendas.” 

That  may  have  been  true,  but  after  Boehme’s 
crash,  Juniper’s  IT  projects  didn’t  all  move  for¬ 
ward  with  the  same  momentum  they  had  in 
the  past.  Juniper  employees  say  this  wasn’t 
due  to  a  lack  of  leadership  at  the  top:  every¬ 
one  contacted  for  this  article  lauded  Moquin’s 
leadership.  But  they  say  Boehme’s  C-level  pull 
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across  the  organization  just  couldn’t  be  replaced,  particularly 
with  senior  executives.  “[Boehme]  has  relationships  and  under¬ 
stands  the  needs  of  business  partners  at  the  senior  VP  level,”  says 
Nichols.  With  Boehme  out  of  commission,  communication  at  that 
level  was  compromised,  Nichols  adds. 

For  example,  Juniper  was  in  the  process  of  implementing  a  new 
document  management  system.  The  decision  to  begin  the  proj¬ 
ect  had  been  made  at  an  executive  steering  committee  meeting 
that  Boehme  had  attended.  After  the  decision  was  made  to  do  the 


upgrade,  Boehme  placed  Nichols  in  charge  of  implementing  it. 
Nichols  found  a  company  that  had  the  appropriate  software  and 
bought  the  licenses.  However,  when  he  began  implementing  it 
during  Boehme’s  absence,  a  problem  arose.  One  of  the  user  groups 
didn’t  want  it,  preferring  a  homegrown  system.  “We  had  some 
pushback,”  says  Nichols.  “I  had  to  fight  that  battle  without  Alan 
and  without  knowing  the  context  within  which  the  decision  was 
made.  Normally,  Alan  would  have  taken  care  of  it.” 

Without  Boehme— and  without  a  subordinate  with  Boehme’s 
full  authority  and  knowledge  of  the  situation— a  conflict  that  nor¬ 
mally  could  have  been  resolved  in  a  few  hours  took  much  longer 
and  absorbed  more  energy  than  it  needed  to. 

Backto  Normal? 

Boehme  takes  the  train  to  work  now.  His  days  of  driving  fast, 
sporty  cars  are  over.  He  recently  bought  a  BMW  X5,  which  is 
“probably  the  heaviest  SUV  I  could  find  short  of  getting  a  [Chevy] 
Suburban,”  he  says.  He  attends  physical  therapy  sessions  two  to 
four  days  a  week.  Doctors  tell  him  that  his  brain  injury  will  take 
up  to  18  months  to  fully  heal.  Since  the  crash,  his  blood  pressure 
has  risen,  and  he  now  takes  medicine  for  it.  He  still  hurts.  He  gets 
tired  earlier  in  the  day.  “I  come  home  from  work  and  the  first  thing 
I  do  is  sit  down  and  rest  for  20, 30  minutes  before  I  can  continue 


with  my  evening,”  he  says. 

Boehme’s  injuries  kept  him  out  of  the  office  for  two  and  a  half 
months.  He  admits  that  when  someone  misses  that  much  time, 
it’s  not  like  coming  back  after  a  vacation.  It’s  disorienting.  In  fact, 
he  spent  a  lot  of  time  planning  his  reentry  with  Moquin,  COO 
Stephen  Flop  (to  whom  Boehme  reports)  and  with  Juniper’s  HR 
department.  Boehme  says  he  couldn’t  pick  up  where  he  had  left 
off.  “It  wasn’t  like  all  of  a  sudden.  I’m  back,”  he  says. 

Succession  planning,  however,  has  risen  on  the  list  of  Boehme’s 
business  continuity  priorities.  He  says  he  has 
nearly  45  people  working  on  the  new  People- 
Soft  HR  system.  It  will  include  areas  that  log 
employee  history  to  help  Juniper  executives 
and  managers  make  a  more  comprehensive 
succession  plan,  from  top  to  bottom  and 
across  the  whole  company. 

Other  companies  seem  to  be  moving  in 
that  direction  as  well.  According  to  Aberdeen, 
39  percent  of  companies  report  now  having 
a  fully  or  partially  automated  solution  for 
succession  planning.  “Although  [Juniper’s] 
was  paper-based  and  it  worked,  the  accident 
wakes  you  up  to  realize  that  it  can  be  much 
more  efficient  if  it  is  systematized,”  Boehme 
says. 

Boehme  reiterates  that  Juniper  will  con¬ 
tinue  to  train  workers  at  all  levels  in  leader¬ 
ship  and  managerial  skills  to  create  a  deeper, 
more  agile  bench.  Analysts  on  succession 
planning  and  human  capital  suggest  mentor¬ 
ing  programs  that  have  lower-level  technicawl 
workers  shadow  their  bosses  from  time  to  time  and  make  connec¬ 
tions  with  other  leaders  in  the  business.  “Establishing  political 
relationships  helps  grease  the  wheel,”  says  Forrester’s  Bright. 
“They’ll  have  established  credibility.”  And  perhaps  that  will  help 
avoid  situations  like  the  one  Nichols  found  himself  in  with  the 
engineering  group  on  the  document  management  project. 

For  now,  Boehme  is  working  on  regaining  his  energy  while  adjust¬ 
ing  his  schedule.  He  works  at  home  more.  He’s  set  up  a  special  router 
in  his  house  that  will  ensure  a  secure  connection  to  Juniper’s  net¬ 
work.  He  uses  videoconferencing  to  help  communicate  with  other 
Juniper  sites  across  the  globe.  But  more  time  working  at  home  doesn’t 
mean  taking  it  easy;  he  says  he’s  now  as  busy  as  ever. 

The  crash  has  given  Boehme  a  new  understanding  of  and 
appreciation  for  the  human  side  of  business  continuity  planning. 
“When  you  think  of  business  continuity  and  disaster  recovery, 
you  tend  to  think  of  earthquake  and  tornadoes  and  events,”  he 
says.  Today,  Boehme  thinks  about  what  most  people  don’t  want  to 
think  about:  what  can  happen  to  a  person  in  a  bad  moment. 

“We  don’t  personalize  these  things,”  he  says,  “because  you  don’t 
want  to  wish  what  happened  to  me  on  anybody.”  BID 


Associate  Staff  Writer  C.G.  Lynch  can  be  reached  at  clynch@cio.com.  Send 
feedback  on  this  story  to  letters@cio.com. 


3  Key  Succession  Planning  Ups 

Expert  advice  on  how  to  leave  your  business  in  a  position  to 
move  forward  when  the  predictably  unpredictable  occurs 

1.  Extend  succession  plans  as  far  down  the  chain  as  possible.  When  a  disruption 
occurs,  "it  cascades  through  the  entire  organization,”  says  Kevin  Martin,  an  analyst 
with  Aberdeen  Group.  “You  should  be  prepared  at  every  level,  two  to  three  people 
deep.” 

2.  Encourage  people  to  step  in  for  others  during  vacations.  This  builds  expertise. 

"It’s  like  trying  to  tell  if  someone  can  ride  a  bicycle  when  you’ve  never  seen  them 
ride,”  says  William  J.  Rothwell,  a  consultant  who  deals  with  HR  management  and 
succession  planning.  "An  excellent  way  to  find  out  is  to  let  them  ride  the  bicycle  for 
short  distances.” 

3.  Assess  employee  skill  sets.  This  could  prevent  you  from  having  to  go  into  the  mar¬ 
ket  and  overpay  for  talent  you  might  already  have  in-house.  “There  are  so  many  skills 
in  demand,”  says  Sam  Bright,  an  analyst  at  Forrester  Research.  “If  you  have  to  go 
outside,  you’re  going  to  pay  a  premium.  You  need  to  know  what  you  have  in-house." 

-C.G.L. 
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some  see  the  awesome  potential  of  business, 
others  see  innovation  powered  by  IT. 


There’s  almost  nothing  that  business  isn’t  capable  of  accomplishing.  Products  that 
make  our  lives  easier.  Ideas  that  change  the  way  we  work.  Breakthroughs  that  extend 
our  lives.  And  who  hasn’t  witnessed  the  power  of  IT  and  its  seemingly  limitless  ability 
to  achieve  what,  just  a  few  years  ago,  was  thought  to  be  impossible?  What  happens 
when  these  two  forces  are  joined  together?  To  find  out,  go  to  ibm.com/special/cio 


iforum 


FUTURE-STATE  CIO 


Rea dy  f o r  a  St rateg i  c  C 1 0? 


It’s  one  thing  to  say  CIOs  should  be 
more  strategic,  but  the  CIO  role  is 
shaped  (and  in  many  cases  con¬ 
strained)  by  the  business.  CIOs  can 
equip  themselves  to  be  well-rounded 
C-level  executives  and  boost  their  acu¬ 
men  in  competencies  such  as  market 
knowledge,  commercial  orientation 
and  external  customer  focus,  but,  as 
many  members  of  the  CIO  Executive 
Council  have  found,  if  their  compa¬ 
nies  don’t  see  them  in  that  light,  it 
doesn’t  matter  how  ready  and  eager 
they  are  to  leverage  their  role  more 
strategically.  Consequently,  in  many 
organizations  there’s  a  gap  between 
expectations  and  capability  that  limits 
the  value  of  the  CIO. 

That’s  why  Council  members 
created  an  assessment  tool  to  com¬ 
pute  organizational  readiness  for 
an  expanded  CIO  role  and  identify 
indicators  that  the  enterprise  might 
be  ready  (with  a  little  nudge)  to  grant 
greater  strategic  responsibility  to  the 
position.  This  tool  is  a  companion  to 
the  C-level  competencies  assessment 


highlighted  in  the  July  1 
article  “The  Secrets  of 
C-Suite  Success”  {www 
. cio.com/article/121lSl ) 
and  is  a  component  of 
the  Council’s  Future- 
State  CIO  program. 

This  Business  Readi¬ 
ness  Index  Assessment 
is  divided  into  two  themes:  business 
characteristics  and  conditions  (the 
company’s  direction,  business  pro¬ 
cess  and  the  leadership  climate)  and 
business  regard  for  technology  and 
the  IT  organization  (the  company’s 
attitude  toward  IT  spending  and 
how  the  business  interacts  with  IT 
and  the  CIO).  Both  areas  combine 
to  determine  the  business  need  for 
and  openness  toward  a  strategically 
oriented  CIO.  A  spreadsheet  version 
of  the  tool  is  available  on  CIO.com  at 
www.  cio.  com/cec/strategic_cio/ . 

Seizing  the  Opportunity 

Changes  in  business  direction,  market 
forces  or  new  growth  present  oppor¬ 


tunities  for  CIOs  to  step 
up  their  strategic  contri¬ 
bution.  “The  faster  your 
business  environment  is 
changing,  the  more  a  CIO 
business  strategist  makes 
sense,”  says  Amer  Sports 
Vice  President  of  Global  IT 
Thomas  Henkel. 

The  events  of  9/11  brought  business 
continuity  to  the  forefront  for  financial 
services  firm  Federated  Investors,  as  it 
did  for  many  others.  Seeing  a  void  in 
enterprisewide  leadership,  CIO  and 
president  of  technology,  Rex  Althoff, 
responded  by  taking  over  management 
of  the  corporate  business  continuity 
function  for  the  $1  billion  enterprise. 
Althoff  knew  his  experience  with  IT 
disaster  recovery  and  deep  understand¬ 
ing  of  the  different  business  units  made 
him  a  natural  fit  for  this  strategic  lead¬ 
ership  role.  “I  saw  a  critical  business 
need  which  required  a  solution:  how 
to  ensure  the  well-being  of  the  com¬ 
pany  in  case  of  a  disaster.  So,  I  brought 
my  restruc-  Continued  on  Page  61 
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Business  Strategist  at  Work 

So  what  does  a  strategically  oriented  CIO  actually  do? 


Being  a  strategically  oriented  CIO  means  more  than 
enabling  business  initiatives  or  providing  services.  When 
Direct  Energy  introduces  something  new  into  the  market 
via  its  Web  channel,  CIO  Kumud  Kalia  leads  much  more 
than  the  IT  piece;  he  co-owns  the  business  outcome 
regardless  of  how  well  the  technology  platform  works.  If 
the  business’s  expectation  is  that  20,000  customers  will 
register  in  the  initial  round,  and  that  goal  isn’t  met,  Kalia 
takes  charge  of  finding  out  what  happened. 


“I’ll  go  back  and  ask  about  the  marketing  cam¬ 
paigns,  brainstorm  new  ways  to  attract  customers, 
check  about  the  branding  of  the  URL  or  change  the 
marketing  message  a  bit,"  he  says. 

Kalia  has  been  operating  at  this  expansive,  strategic 
level  since  he  started  at  Direct  Energy,  and  he  has 
earned  formal  acknowledgment  of  his  role  with 
the  addition  of  the  title  Executive  Vice  President  of 
Customer  Operations.  -C.M. 
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we  see  a  bridge  that  connects  the  two. 


When  business  and  IT  are  working  as  one,  costs  go  down.  And  overall  agility  goes, 
well,  through  the  roof.  But  the  best  news  is,  when  you’re  fully  integrated,  you  can 
collaborate  in  new  ways.  New  products  can  be  driven  by  customer  insights.  And 
you  can  quickly  react  to  an  opportunity.  In  short,  you  can  innovate.  Of  course, 
creating  a  collaborative  environment  will  take  some  work.  But  we  know  the  perfect 
person  for  the  job.  To  find  out  more,  go  to  ibm.com/special/cio 
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Continued  from  Page  57 

ing  recommendations  to 
executive  management,” 
he  recalls.  Althoff  didn’t 
stress  about  the  fact  that 
corporatewide  business 
continuity  isn’t  a  typical 
IT  activity.  “I  don’t  worry 
about  who  owns  what;  I 
worry  that  the  firm  is  mov¬ 
ing  forward,”  he  says. 

Evan  Stewart,  CIO  at  BE  Aerospace, 
saw  a  chance  to  expand  his  strategic 
contribution  when  his  company,  a 
manufacturer  of  commercial  jet  parts, 
experienced  a  spike  in  growth  in  the 
Asia/Middle  East  market  due  to  a  grow¬ 
ing  number  of  airline  travelers  with 
discretionary  income.  Stewart  noticed 
an  uptick  in  the  number  of  requests 
from  senior  business  leaders  asking 
IS  to  consult  on  new  processes  for  this 
region.  “It  was  a  watershed  moment 
for  me  and  the  IS  department,”  Stewart 
recalls.  “We  were  actually  being  asked 


KENRIC 

ANDERBERG 


to  be  more  strategic.” 

Stewart  responded  by 
reorganizing  his  depart¬ 
ment  into  three  parts— an 
operational  group,  a  stra¬ 
tegic  group  and  a  new  liai¬ 
son  group  that  visits  with 
external  customers  to  dis¬ 
cuss  what  they  will  need  in 
the  future.  Stewart’s  role 
is  now  akin  to  that  of  a  leader  of  a  stra¬ 
tegic  consulting  group.  “I  changed  the 
way  I  think,  talk  and  act;  now  every¬ 
thing  is  about  business  value”  and  how 
we  can  contribute  to  growth,  he  says. 

CIOs  should  realize  that  because  of 
their  enterprise-spanning  viewpoint, 
they  have  process  and  operational 
insight  they  can  bring  to  bear  in  any 
number  of  situations.  Philips  Medical 
Systems  CIO  Kenric  Anderberg  is  not 
formally  responsible  for  business  pro¬ 
cess  improvement.  However,  when  the 
operations  lead  is  focused  on  other  ini¬ 


tiatives,  he  takes  the  opportunity  to  fill 
the  gap.  “As  CIOs,  we  already  know  the 
business  processes  and  how  to  think 
about  business  improvements,”  says 
Anderberg,  so  operations  leadership 
is  a  natural  opportunity  to  step  up.  By 
doing  so,  CIOs  can  position  themselves 
as  business  leaders,  willing  to  step  out¬ 
side  the  IT  box  and  take  risks  in  new 
areas,  says  Anderberg. 

Now  It’s  Time  for  an 
Attitude  Adjustment 

Even  when  opportunities  present  them¬ 
selves  (see  below,  “Does  Your  Business 
Need  a  Strategic  CIO?” ),  if  the  business’s 
attitude  toward  IT  and  the  CIO  role  is 
antiquated  or  negative,  a  CIO  seeking  to 
make  a  broader  contribution  may  find 
himself  rebuffed.  Changing  attitudes 
about  IT  and  the  CIO  role  is  difficult, 
but  CIOs  can  be  successful  by  doing 
so  incrementally.  Darin  Brumby,  CIO 
at  $5.5  bil-  Continued  on  Page  62 


Does  Your  Business 
Need  a  Strategic  CIO? 

Six  indicators  that  signal  opportunities  for 
CIOs  who  want  to  focus  on  more  than  IT 

1.  Business  leaders  are  considering  significant  enhance¬ 
ments  to  the  customer  experience. 

2.  The  business  is  pushing  hard  to  develop  new  products, 
services  and  markets. 

3.  The  organization  is  expanding  into  new  lines  of  business. 

4.  There's  a  lack  of  ownership  of  some  cross-enterprise 
discipline. 

5.  There’s  a  new  or  growing  emphasis  on  cross-enterprise 
business  disciplines  such  as  security,  business  continuity 
or  regulatory  compliance. 

6.  There’s  a  universally  recognized  need  for  more  knowledge 
about  customers,  products  and  processes  to  enable  bet¬ 
ter  decision  making. 


Is  Your  Business 
Read}  for  a  Truly 
Strategic  CIO? 

Five  indicators  that  your  enterprise  will 

accept  a  CIO  who  focuses  on  more  than  IT 

1.  Relative  to  other  capital  spending,  executives  perceive 
major  investments  in  IT  as  sound  business  practice. 

2.  Executives  publicly  and  enthusiastically  acknowledge  the 
importance  of  IT  to  the  business.  They  "get  it." 

3.  Business  leaders  are  educated  about  and  appreciate  the 
transformational  potential  of  IT. 

4.  The  IT  organization  is  viewed  as  a  source  of  innovative 
ideas  for  the  business  as  a  whole. 

5.  Business  units  poach  IT  staff  because  they  know  that's 

where  the  best  and  brightest  and  most  knowledgeable 
come  from.  -C.M. 
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Integration  of  business  and  IT  isn’t  something  that’s  “hopefully"  accomplished  in 
Q . .  .whenever.  As  one  CEO  put  it,  “It’s  as  important  as  water  is  for  sea  traffic.”  And 
since  a  CIO’s  panoramic  view  of  the  business  is  unmatched,  your  role  in  bridging 
this  great  divide  is  critical.  But  how  do  you  actually  do  it?  Where  do  you  start? 


On  the  next  page,  we  begin  to  answer  those  questions.  You’ll  find  insights  from  a 
company  that  has  a  wealth  of  business  process  and  IT  experience.  And  there’s  one 
person  who  can  bring  that  depth  of  knowledge  to  bear  on  your  business.  You.  To 
find  out  more,  go  to  ibm.com/special/cio 
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Future-State  CIO  Model 


lion  U.K.  transportation  company  First- 
Group,  says  it’s  all  about  small  steps. 

“The  key  is  showing,  in  every  inter¬ 
action,  what  you  can  do  for  the  busi¬ 
ness  beyond  running  IT  operations,” 
suggests  Brumby.  By  “relentless  exe¬ 
cution”  and  repeatedly  demonstrating 
skills  in  areas  like  change  leadership 
and  process  improvement,  Brumby 
has  convinced  his  executive  team  that 
a  CIO  can  bring  a  different  value  prop¬ 
osition  to  the  table. 

However,  Brumby  warns  that  CIOs 
who  are  ambitious  in  terms  of  what 
they  believe  they  can  do  for  and  add 
to  their  organizations  may  experience 
resistance  from  their  executive  peers. 
In  order  to  overcome  that,  the  CIO 
must  make  it  absolutely  clear  that  he 
has  no  secret  agenda,  no  lust  for  power. 
“It’s  not  about  one-upsmanship  or  tak¬ 
ing  advantage  of  anybody,”  Brumby 
says.  “It’s  about  doing  the  right  thing 
for  the  business.  You  must  be  100  per¬ 
cent  authentic  when  you  offer  advice. 

According  to  Henkel  at  Amer  Sports, 
the  CEO  and  other  C-level  executives 
are  the  soil  in  which  CIOs  should  sow 
the  seeds  of  change.  For  Henkel,  his  C- 
level  influence  sprouted  in  the  smaller 
organizations  that  Amer  Sports  has 
been  acquiring.  As  these  organiza¬ 
tions  shifted  from  running  on  their 
independent  systems  to  partaking 
of  Amer  Sports’  enterprisewide  pro¬ 
cesses,  Henkel  successfully  communi¬ 
cated  to  those  businesses’  leaders  that 
IT  and  the  CIO  needed  to  be  intimately 
and  actively  involved  in  the  business 
strategy  in  order  to  keep  the  big  pic¬ 
ture  in  sharp  focus. 

Move  Up  or  Move  Out 

Of  course,  no  matter  how  authentic  and 
careful  you  may  be,  sometimes  the  resis¬ 
tance  is  too  hard  to  overcome.  If  your 


According  to  the  CIO  Executive  Council’s  Future-State  CIO  Model,  the  CIO  role  is 
composed  of  three  fundamental  aspects:  function  head,  transformational  leader  and 
business  strategist.  The  Future-State  CIO  will  devote  a  greater  percentage  of  time  and 
focus  to  the  business  strategist  part  of  the  role.  To  reach  this  state  successfully,  both 
the  CIO’s  C-level  competencies  performance  and  the  organization’s  readiness  and 
acceptance  of  the  role  must  be  well-developed  and  in  sync.  Otherwise,  a  frustrating 
Expectation/Capability  Gap  will  prevail. 


company  is  too  hidebound  to  accept 
you  as  a  strategist,  or  is  not  responding 
positively  to  your  sincere  and  sustained 
efforts  to  move  in  that  direction,  it  might 
be  time  for  you  to  look  elsewhere. 

“If  there’s  the  wrong  organizational 
structure,  the  wrong  corporate  cul¬ 
ture,  then  you  can’t  be  successful  as 
a  strategist,”  concludes  Kumud  Kalia, 
CIO  of  Direct  Energy.  In  those  cases, 
Kalia  suggests  that  CIOs  focus  their 
job  search  on  companies  that  are  look¬ 
ing  specifically  for  strategic  leadership 
from  the  CIO.  And  how  can  you  tell? 


Lessons  on  Video 


To  learn  more  about  C-level  leadership 
competencies  from  the  CIO  Executive 
Council,  see  the  OUTLOOK  LEADER¬ 
SHIP  video  series  at  www.cio.com/ 
video/outlookseries.  _ 

cio.com 


During  the  interview  process,  make 
sure  the  CEO  can  explain  what  he  or 
she  means  by  “strategic”  and  that  that 
matches  your  own  definition.  Also,  Kalia 
advises,  try  to  assess  how  your  business 
peers  will  react  to  working  with  you  as 
a  fellow  strategist  rather  than  as  a  tradi¬ 
tional  service  provider.  Direct  Energy’s 
executive  committee  looked  for  a  stra¬ 
tegically  oriented  CIO,  believing  that  a 
CIO  focused  solely  on  technology  would 
not  help  grow  the  business. 

“From  day  one  on  the  job,”  says  Kalia, 
“I’ve  been  accepted  and  treated  as  a  busi¬ 
ness  peer.  I  talk  about  what  I’m  going  to 
do  for  the  company,  not  for  the  IT  depart¬ 
ment  specifically.”  BE] 


Carrie  Mathews  is  senior  program  manager 
with  the  CIO  Executive  Council.  Send  feed¬ 
back  on  this  article  to  letters@cio.com. 


The  CIO  Executive  Council  is  a  professional  organization  for  CIOs  founded  by  CIO’s  publisher.  To  learn  more  about  the  Council, 
visit  www.cioexecutivecouncil.com  or  contact  VP  of  Sales  Dexter  Siglin  at  dsiglin@cio.com  or  508  935-4493. 
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*  we  see  you  taking  the  next  steps  toward  integration. 


Translate  IT  into  “business-ese.”  Before  IT 
and  business  can  converge,  IT  and  business 
must  understand  each  other.  So,  rather  than 
using  techno-speak,  explain  in  business  terms 
how  technology  can  positively  impact  the  orga¬ 
nization  and  give  it  a  competitive  advantage. 

Take  down  that  wall.  Decisions  on  how  IT  is 
employed  should  be  made  jointly,  by  both  IT 
and  business  decision  makers.  So  the  walls 
between  those  groups  must  be  removed. 
That  way,  it’s  not  “we-they.”  It’s  “us"  using  IT  to 
shape  and  execute  the  business  strategy. 


Balance  risk  and  reward.  An  IT  portfolio  should 
balance  “run  the  business”  and  “grow  the  busi¬ 
ness”  projects.  The  “run”  projects  keep  your 
current  business  model  working  efficiently.  The 
“grow”  projects,  while  more  complex,  help  you 
expand  into  new  markets  and  product  lines. 

Gain  a  brand-new  perspective.  Your  entire  IT 
organization  would  benefit  from  working  directly 
with  other  business  units  within  the  organiza¬ 
tion.  Once  your  staff  is  acquainted  with  specific 
business  challenges,  they’re  more  likely  to  know 
how  to  use  technology  to  solve  them. 


Now  you’re  four  steps  closer  to  integration.  The  fifth  step?  Choosing  a  partner.  And  we  can  help 
with  that,  too.  If  you  need  someone  with  extensive  integration  experience,  nobody  even  comes 
close  to  IBM.  Our  team  of  over  100,000  delivery  specialists  has  deployed  thousands  of  business 
and  IT  projects  in  multiple  industries.  And  in  many  countries. 

IBM  experts  use  proven  business  modeling  methodologies  to  help  CIOs  decide  which  IT  processes 
drive  the  most  business  value,  and  which  give  you  the  best  competitive  advantage.  Our  financing 
options  turn  up-front  costs  into  affordable  payments.  And  with  a  range  of  outsourcing  solutions,  you 
can  worry  less  about  running  the  business.  So  you  can  focus  on  growing  the  business.  If  your  goal 
is  driving  growth  and  creating  more  collaboration,  we  have  a  suggestion.  Collaborate  with  us. 


We  interviewed  170  CIOs  and  765 
CEOs.  Want  to  know  what  most.  CIOs 
considered  their  greatest  obstacle? 
Find  out  at  ibm.com/special/cio 


what  makes  you  special? 


L 


IBM,  the  IBM  logo,  ibm.com  and  What  Makes  You  Special?  are  registered  trademarks  or  trademarks  of  International  Business  Machines 
Corporation  in  the  United  States  and/or  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  of 
others.  ©  Copyright  IBM  Corporation  2007.  All  rights  reserved. 
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Enterprise  security  software  that  gets  to  threats  before  they  get  to  you.  Crimeware.  Malicious  users. 
Data  leakage.  The  threat  landscape  is  constantly  changing.  Symantec  can  provide  you  with  global,  24/7  protection  to 
safeguard  every  layer  of  your  enterprise-from  your  mobile  devices  to  your  data  center.  Our  Global  Intelligence  Services 
proactively  monitor  emerging  threats  to  make  sure  your  business  is  always  protected.  Visit  symantec.com/confidence 

Confidence  in  a  connected  world. 
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